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HOMELAND CYBERSECURITY AND DHS 
ENTERPRISE ARCHITECTURE BUDGET 
HEARING FOR FISCAL YEAR 2005 


Tuesday, March 30, 2004 

House of Representatives, 

Select Committee on Homeland Security, 
Subcommittee on Cybersecurity, Science, 
and Research and Development, 

Washington, D.C. 

The subcommittee met, pursuant to call, at 10:06 a.m., in Room 
2325, Rayburn House Office 

Building, Hon. Mac Thornberry [chairman of the subcommittee] 
presiding. 

Present: Representatives Thornberry, Smith, Camp, Linder, Gib- 
bons, Cox (ex officio), 

Lofgren, Andrews, (Del.) Christensen, Etheridge, Lucas, 
Langevin, Meek, and Turner (ex officio). 

Also Present: Representative Dunn. 

Mr. Thornberry. The hearing will come to order. I would like 
to welcome our witnesses and guests to this hearing of the Sub- 
committee on Cybersecurity, Science, and Research and Develop- 
ment. 

Last year, we received a number of perspectives on cybersecurity 
from academia, think tanks, the technology industry, government 
agencies, users, and others. All want the Department to succeed in 
its mission to protect our Nation. All emphasized the importance 
of cyberspace and the need for stronger cybersecurity in govern- 
ment, industry, academia, and at home. 

Now, as we move into the second year of the Department of 
Homeland Security there remain many areas in cybersecurity in 
need of improvement. Cyber is an area that can touch across vir- 
tually every aspect of our lives, from electrical grids, airport control 
towers, manufacturing, banking, chemical plants, and many other 
areas. 

With the creation of the National Cybersecurity Division last 
June, I was pleased the Department acknowledged the need to con- 
solidate the cyber mission into an organization that could have one 
voice in dealing with international, Federal, State, local, and pri- 
vate sectors. However, over the course of recent months I have 
been concerned that many of the cybersecurity resources within the 
Department remain fragmented and have not been integrated 
under the Cybersecurity Division. 

( 1 ) 
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Our Nation needs a seamless, well-functioning organization with- 
in the Department to work with industry, other government ele- 
ments, academia, and the home user. That is part of the external 
cybersecurity mission of the Department. 

But there is also an internal cybersecurity mission for the De- 
partment. The Chief Information Officer has responsibility for pro- 
tecting the Nation’s most sensitive data that has been entrusted to 
the DHS to counter terrorism against the homeland. As the De- 
partment develops its enterprise architecture, privacy and classi- 
fied information are two areas that must be considered as the net- 
works from the 22 agencies are brought together. 

I also believe that the Department must be a role model for the 
rest of government as well as the private sector in how they secure 
their own information infrastructure. DHS needs to “walk-the-talk” 
and achieve the highest standards within the Federal Government 
and cybersecurity. The creation of the Department should also re- 
sult in efficiencies through integration and also find the most effec- 
tive use of resources. 

I look forward to hearing about your progress in both areas over 
the course of the past year. 

Prepared Statement of The Honorable Mac Thornberry, Chairman, Select 
Committee on Homeland Security 

I would like to welcome our witnesses and guests to today’s hearing. 

Last year, this subcommittee received a number of perspectives on cybersecurity, 
from academia, think tanks, the technology industry, government agencies, users, 
and others. All want the Department of Homeland Security to succeed in their mis- 
sion to protect our nation. All emphasized the importance of cyberspace and the 
need for stronger cybersecurity in government, industry, academia, and at home. 

As we move into the 2nd year for the Department of Homeland Security, there 
remain many areas in cybersecurity in need of improvement. Cyber is an area that 
cross-cuts virtually very aspect of our lives. Electrical grids, airport control towers, 
manufacturing, banking, chemical plants, and many other areas are dependent upon 
their computers, information, and networks to be reliable and secure from attacks. 

With the creation of the National Cybersecurity Division (NCSD) last June, I was 
pleased that the Department acknowledged the need to consolidate the cyber mis- 
sion into an organization that could have “one voice” in dealing with international, 
federal, state, local and private sectors. However, over the course of recent months, 
I am concerned that many of the cybersecurity resources within the Department re- 
main fragmented and have not been integrated under NCSD. 

Our nation needs a seamless and well-functioning organization within the Depart- 
ment to work across industry, other government elements, academia, and the home 
user. That is part of the external cybersecurity mission for the Department of 
Homeland Security. 

There is also an internal cybersecurity mission for the Department. The Chief In- 
formation Officer has the responsibility for protecting our nation’s most sensitive 
data that has been entrusted to DHS to counter terrorism against the homeland. 
As the Department develops its enterprise architecture, privacy and classified infor- 
mation are two areas that must be considered as the networks from the 22 agencies 
are brought together. 

I also believe the Department must be a role model for the rest of the govern- 
ment — as well as the private sector — in how they secure their own information in- 
frastructure. DHS needs to “walk the talk” and achieve the highest standards with- 
in the federal government in cybersecurity. The creation of the Department should 
result in efficiencies through integration and also find the most effective use of re- 
sources. I look forward to hearing about your progress and plans for the coming 
year. 

Before we turn to our witnesses, let me yield to the distinguished 
ranking member, the gentlelady from California. 

Ms. Lofgren. Thank you, Chairman Thornberry. 
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The Select Committee on Homeland Security is in the process of 
tracking the first ever authorization bill through the Department 
of Homeland Security, and I believe that today’s hearing before this 
subcommittee will serve as an important part of the authorization 
process. We will focus on cybersecurity activities of the Infrastruc- 
ture Protection Directorate and will explore the information tech- 
nology and enterprise architecture issues facing the agency, and it 
will give us an opportunity to understand resource and policy 
issues pertaining to the budget request for the next fiscal year. 

In addition, members may explore additional legislative issues 
relevant to the Director’s activities for possible inclusion into the 
authorization bill. 

Certainly, we have no shortage of issues to discuss with our wit- 
nesses today. Earlier this month President Bush and Secretary 
Ridge celebrated the first anniversary of the creation of the Depart- 
ment of Homeland Security. At the event, the President said, 
quote, one of the most important steps we have taken to fight ter- 
rorism is creating the Department of Homeland Security combined 
under one room with a clear chain of command many agencies re- 
sponsible for protecting our Nation. Creating the newest depart- 
ment of our Federal Government was a tough task that required 
a lot of hard work, changing some old habits in order to merge into 
a new department. Unquote. 

I think this assessment of the Department is pretty optimistic, 
and I know that while rank and file employees have worked very 
hard over this past year to get it up and running, I am not con- 
vinced that the leadership of the Department of Homeland Security 
should be celebrating at this time, particularly in the area of 
cybersecurity. 

I am concerned about cyber policy in the Department. I am not 
convinced that cybersecurity is a priority within the overall Depart- 
ment of Homeland Security, and I am troubled by the lack of con- 
crete cybersecurity accomplishments over the past year. 

The release of the National Strategy to Secure Cyberspace was 
at the beginning of 2003. This policy paper established 
cybersecurity goals. At the end of 2003, the Department of Home- 
land Security convened a cybersecurity summit with major players 
in the technology industry in the Silicon Valley. Other than these 
two events, I am just not familiar with the work that is going on 
in DHS, and I think I am safe in saying that members of this sub- 
committee are somewhat frustrated. 

The threat of a cyber attack is very real. In 2003, we saw in- 
creasing worm and virus spreads, and Business Week estimated 
that the damage from worms last year alone was over $13 billion. 

Today’s witnesses are Mr. Robert Liscouski, Assistant Secretary 
for Infrastructure Protection, Information Analysis, and Infrastruc- 
ture Protection Directorate, and Mr. Steven Cooper, Chief Informa- 
tion Officer of the Department of Homeland Security. I hope that 
the witnesses today will be able to reassure this subcommittee that 
work is being done within the Department and that cybersecurity 
in fact is a priority for the administration. 

I would also like to note my frustration at the tardiness with 
which the statements were delivered to the committee. The rules 
of the Homeland Security Committee prescribe that witnesses who 
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wish to submit a written statement shall file them — not may, but 
shall file them 72 hours prior to the hearing. Mr. Liscouski’s state- 
ment was filed 14 hours prior to this committee and Mr. Cooper’s 
statement was filed 45 minutes before the committee hearing, and 
I think that that is a real disservice to every member of the com- 
mittee as we obviously have not had the time to really study Mr. 
Cooper’s statement or Mr. Liscouski’s statement. 

Before concluding, I would like to thank the chairman of this 
committee, Mr. Thornberry, who has led our committee with great 
skill and intelligence, and I appreciate his leadership. Thank you. 

Mr. Thornberry. I thank the gentlelady, and let me echo her 
frustration with the delays in having the statements before us. Ob- 
viously, it makes it more difficult for all of us to do our job well. 

Let me just, as a brief aside on timing. My understanding is that 
we will have votes roughly around 11:30. Mr. Liscouski also has 
another hearing in the Intelligence Committee around that time, 
and so I don’t want to limit anything but the briefer we can all be 
in our questions and responses we can cover more territory. I ap- 
preciate both of our witnesses. Without objection, other members of 
course may submit opening statements for the record. 

Prepared Statement of the Honorable Jim Turner, a Representative in Con- 
gress From the State of Texas, and Ranking Member, Subcommittee on 

Cybersecurity, Science, and Research & Development 

Thank you Mr. Chairman. 

Good Morning Gentlemen. Mr. Liscouski, it is a pleasure to have you testify be- 
fore our Committee again. Mr. Cooper, I believe this is the first time you have ap- 
peared before us — welcome. 

The Department of Homeland Security’s cybersecurity mission is two-fold. First, 
it is the key agency responsible for coordinating our nation’s efforts to protect our 
computer networks and critical infrastructures. Second, it must ensure that its own 
information technology systems are well-integrated and armed with appropriate 
safeguards. 

We recognize that these tasks are not easy but they must be done to help ensure 
the security of our homeland. The ever-changing nature of technology means that 
the Department must have the best expertise, personnel, tools, and full authority 
to effectively accomplish its mission. 

Unfortunately, the Department is not making the progress needed to secure our 
nation from a cyber attack. It is also not moving quickly enough to integrate and 
protect its own information technology systems. 

Mr. Liscouski, six months ago you appeared before this Subcommittee and told 
us that the Department, having finally found a Director to lead its cybersecurity ef- 
forts, was undertaking significant initiatives to further our country’s efforts to se- 
cure cyberspace and prepare and respond to network attacks. To date, however, the 
cybersecurity initiatives that the have been unveiled have not gotten us much fur- 
ther than we were before the creation of the Department. Indeed, some of the initia- 
tives appear to duplicate existing efforts. 

Let me just mention a few specific areas in which I see the Department’s efforts 
lagging. 

• First, it is not apparent to me that the Department has in place the ability 
and authority to direct other agencies with specific expertise in the event of a 
cyber crisis. 

• Second, the Department does not appear to have an effective and meaningful 
public — private cybersecurity partnership. Many in the private sector have little 
or no idea what you are doing, what is expected of them, or how they are sup- 
posed to integrate and coordinate with the Department. 

• Third, the Department has not sufficiently moved forward with the National 
Strategy to Secure Cyberspace released by the Administration a year ago. Why 
haven’t we yet seen clear assignments of responsibilities and deadlines for the 
Strategy’s implementation? If it is because the strategy won’t work or is ineffec- 
tive — we need to know that. 
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• Lastly, Mr. Liscouski, the Department’s 2005 budget does not clearly lay out 
what your directorate is planning to do to further our cybersecurity efforts. 
We’ve only seen broad assertions and categories of activities. There seems to be 
lacking a clear vision on what the Department is doing to secure cyberspace. 

Mr. Cooper, I must say I am equally concerned about the state of the Depart- 
ment’s efforts to build robust information technology systems within the Depart- 
ment and secure its own internal networks. There are specific areas, in particular, 
for which I am concerned. 

• First, the Department’s efforts to date have been too slow. Just last week, I 
saw one official stating that simple e-mail can’t get passed to people in the same 
office and that it takes hours for e-mail to bounce around the Department to 
reach its destination. We won’t win the war on terror if Homeland Security offi- 
cials can’t even talk to each other. 

• Second, good and consistent information technology policies can help speed 
the integration of terrorist watch lists, strengthen the security of our borders, 
and allow us to “connect the dots” to find terrorists. It worries me, Mr. Cooper, 
that you have publicly suggested that a consolidated watchlist may not be nec- 
essary. In my view, achieving this goal is critical for making our homeland secu- 
rity programs work. 

• Third, it is not clear to me, Mr. Cooper, that you have the sufficient authority 
to coordinate and direct the divisional Chief Information Officers within the De- 
partment. If this is a problem, I hope that you will be candid with us regarding 
any additional authorities your position requires. 

• Lastly, this past December, the Department received a 34 — the lowest grade 
of any agency — in the Government Reform Committee’s annual grading of agen- 
cies on the security of their computer systems. The Department should be set- 
ting an example for the rest of government to follow — not trailing at the back 
of the class. 

Gentleman, I thank you for appearing before our Committee today to address 
these important issues. 

I appreciate both of our witnesses being here today. Let me first 
call on Robert Liscouski, Assistant Secretary for Infrastructure 
Protection at the Department of Homeland Security. 

STATEMENT OF ROBERT LISCOUSKI, ASSISTANT SECRETARY 

FOR INFRASTRUCTURE PROTECTION, DEPARTMENT OF 

HOMELAND SECURITY 

Mr. Liscouski. Thank you, Mr. Chairman, and distinguished 
members of the subcommittee. I appreciate the opportunity to be 
here this morning. 

As you pointed out, I am responsible for infrastructure protection 
at the Department of Homeland Security, and I am pleased to be 
here before you today to discuss our progress that we have made 
in the National Cybersecurity Division and to discuss the Presi- 
dent’s fiscal year 2005 budget request. 

In today’s highly technical and digital world, we recognize that 
attacks against us may manifest themselves in many forms, includ- 
ing both physical and cyber attacks. And in addition, we recognize 
the potential impact of collateral damage from any one attack to 
a variety of assets. This interconnected and interdependent nature 
of our infrastructure makes our physical and cyber assets difficult 
to separate, and it would be irresponsible to address them in isola- 
tion. 

The integrated approach that DHS takes toward protection of 
physical and cyber assets and responsive threats and protection of 
its vulnerabilities enables us to consider the full range of risks to 
the Nation, including loss of life, destruction of infrastructure serv- 
ices, economic impact, and national security implications. Recog- 
nizing that future terrorist attacks may not be limited to either 
physical or cyber acts but rather a combination of the two to am- 
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plify the impact, my office is organized to examine and address 
threats and vulnerabilities across the nation’s infrastructure by 
using a five-step risk management methodology that measures the 
Nation’s risk profile in the context of and in the absence of threat 
information. Those major steps of the risk management method- 
ology include the identification of the critical infrastructure assets, 
the assessment of vulnerabilities, the normalization analysis and 
prioritization of protective measures, implementing protective pro- 
grams, and then finally the measurement of effectiveness and per- 
formance outputs so we can determine whether what we are doing 
is the right thing. 

The National Cybersecurity Division was created in June of 2003 
to serve as a national focal point for the public and the private sec- 
tors to address the cybersecurity issues and to coordinate the im- 
plementation of a national cyber strategy to secure cyberspace. 

Under that mandate, the National Cybersecurity Division has 
been working closely with our partners in the Federal Government, 
the private sector, and academia on a variety of programs and ini- 
tiatives to protect our information infrastructure. We recognize 
that the challenge is vast and complex, that the threats are multi- 
faceted and global in nature, and that our strengths and our 
vulnerabilities lie in our interdependencies; that the environment 
changes rapidly, and that information sharing and coordination are 
crucial to improving our overall national and economic security. 

The activities of the National Cybersecurity Division then are 
based on this understanding and designed to address each of the 
priorities set forth in the National Strategy to Secure Cyberspace. 

Priority one, a national cyberspace secure response system; 

Priority two, a national cyberspace security threat and vulner- 
ability reduction program; 

Priority three, a national cyberspace security awareness and 
training program; 

Priority four, securing the government’s cyberspace; and, 

Priority five, national security and international cyberspace secu- 
rity cooperation. 

When I appeared before the committee — before the subcommittee 
in September of 2003, I announced that Mr. Amit Yoran was to be- 
come the Director of the National Cybersecurity Division. Under 
his leadership, the division has aggressively pursued partnerships 
and programs and is building a strong team to meet its objectives. 
I also announced the creation of the U.S. Computer Emergency 
Readiness Team, or the US-CERT. The US-CERT is a key compo- 
nent of our cyber strategy and readiness and response system and 
the National Cybersecurity Division’s operational arm. The US- 
CERT provides a national coordination center that links public and 
private response capabilities to facilitate information sharing 
across infrastructure sectors and to help protect and maintain the 
continuity of our Nation’s cyber infrastructure. 

On 28 January of this year, the Department of Homeland Secu- 
rity through the US-CERT unveiled the National Cyber Alert Sys- 
tem. It is an operational system developed to deliver targeted and 
timely and actionable information to Americans to secure their 
computers. At the U.S. government, we have the responsibility to 
alert the public of imminent threats and to provide protective 
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measures where we can, and minimally to provide information nec- 
essary for the public to protect their systems. 

The day we inaugurated the system, the US-CERT site received 
more than 1 million hits. And today, from the first few weeks of 
that site, we have more than 250,000 direct subscribers who re- 
ceive the National Cyber security Alert information to enhance their 
cybersecurity. And I urge you all to visit that site at www.US- 
CERT.gov, to subscribe to our information services. 

To facilitate the preparation interagency and public-private co- 
operation coordination during and to recover from cyber incidents, 
we have created the Cyber Interagency Incident Management 
group, or Cyber IIMG. The Cyber IIMG coordinates intergovern- 
mental preparedness and operations to respond to and recover from 
cyber incidents and attacks. The group brings together senior offi- 
cials from national security, law enforcement, defense, intelligence, 
and other government agencies that maintain significant 
cybersecurity capabilities and that can bring to bear in response to 
an incident and, importantly, possess the necessary statutory au- 
thority to act. 

We have also broadened our interagency partnerships to create 
two new groups addressing the various challenges before us. The 
first is a Chief Information Security Officers Forum, CISO Forum, 
established to provide a trusted venue for our government informa- 
tion security offices to collaborate and share effective practices, ini- 
tiatives, capabilities, successes, and challenges. 

The second group is the Government Forum of Incidents Re- 
sponse and Security Teams, FIRST, a group of technical and tac- 
tical practitioners of security response teams responsible for secur- 
ing government information technology systems. GFIRST members 
work together to understand and handle computer security inci- 
dents and to encourage proactive and preventive security practices. 

One of our most important constituencies of course is the private 
sector, because as you well know it is estimated that 85 percent of 
America’s critical infrastructure is owned and operated by the pri- 
vate sector, and technology developed by the industry continues to 
fuel the growth and the evolution of the Internet. 

In December 2003, the Cybersecurity Division co-hosted the first 
National Cybersecurity Summit, which allowed the Department to 
work side by side with leaders in industry to address key 
cybersecurity issues facing the Nation. The Cyber Division is also 
working closely with research and academic communities to better 
educate and train future cyber analysts, and we are participating 
in the National Science Foundation Scholarship For Service, or the 
Cyber Corps program as well as the National Security Agency’s In- 
formation Assurance Centers for Excellence, academic excellence in 
26 States, for which there are 50 centers. 

The National Cybersecurity Division is only 9 months old, but 
these initiatives represent considerable progress toward making 
cybersecurity a reality and reflect our collective commitment to do 
much more. Each accomplishment fosters further activity which we 
have outlined in our fiscal year 2005 budget. The national 
cybersecurity budget for fiscal year 2005 request is $79 million, and 
it is based upon ongoing and future activities necessary to meet our 
mission. 



8 


The division is positively exploiting the work of its predecessors 
and building crucial partnerships as part of DHS’s overall efforts 
to enhance the protection of our Nation’s critical infrastructure. We 
have much to do and it will take time, resources, dedication, en- 
ergy, and hard work to succeed. We are committed to that chal- 
lenge, and we look forward to the opportunities to update the sub- 
committee on our progress. 

We are also approaching the next National Cybersecurity Day, I 
would like to point out, which is this Sunday. And as Americans 
turn their clocks forward, we also urge them to take this oppor- 
tunity to review and improve their cyber readiness. 

Again, I thank you for the opportunity to testify before you 
today, and I would be pleased to answer the questions at your con- 
venience. 

[The statement of Mr. Liscouski follows:] 

Prepared Statement of the Honorable Robert Liscouski 

Good morning, Chairman Thornberry and distinguished Members of the Sub- 
committee. My name is Robert Liscouski, and I am the Assistant Secretary for In- 
frastructure Protection in the Department of Homeland Security (DHS). I am 
pleased to appear before you today to provide an update on the Department’s Na- 
tional Cyber Security Division’s efforts in coordinating cyber security initiatives 
since my appearance in September 2003 and to discuss the President’s FY 2005 
budget request for the Division. In my testimony today, I will share information on 
a number of initiatives that use diverse channels of communication to reach our 
government partners as well as our mutual constituents — home users, small and 
medium-sized businesses, and corporations. 

Introduction 

March 1st marked the one-year anniversary of the Department of Homeland Secu- 
rity. In his remarks commemorating that day, Secretary Ridge stressed the Depart- 
ment’s goal to strengthen information sharing and infrastructure protection over the 
next year. We in the Information Analysis and Infrastructure Protection Directorate 
(IAIP) take that mandate to heart in our collective efforts and activities to protect 
the Nation. Established by the Homeland Security Act, the IAIP Directorate leads 
the Nation’s efforts to protect our critical infrastructures from attack or disruption, 
and under the leadership of Under Secretary Frank Libutti has made significant 
strides toward that objective. 

The IAIP Directorate includes the Office of Information Analysis, the primary 
gathering and analytic center for threat information and intelligence within DHS, 
and the Office of Infrastructure Protection (IP), for which I am responsible. In to- 
day’s highly technical and digital world, we recognize that attacks against us may 
manifest in many forms, including both physical and cyber attacks. In addition, we 
recognize the potential impact of collateral damage from any one attack to a variety 
of assets. This interconnected and interdependent nature of our infrastructure 
makes our physical and cyber assets difficult to separate, and it would be irrespon- 
sible to address them in isolation. The placement of our two offices within the Direc- 
torate underscores this linkage and enables us to work together to share intelligence 
and other information and coordinate our efforts to mitigate our vulnerabilities. 
Further, IP’s component divisions work closely together to coordinate efforts regard- 
ing both physical and cyber threats and vulnerabilities and to develop plans that 
address the interdependencies between them. 

Homeland Security Presidential Directive 7 (HSPD 7), released by President Bush 
on December 17, 2003, requires the development of a National Infrastructure Pro- 
tection Plan that sets out a roadmap for assessing both physical and cyber 
vulnerabilities and, once the vulnerabilities are determined, articulating the protec- 
tive actions that need to be taken. As such, IAIP takes a holistic view of critical 
infrastructure vulnerabilities and works to protect America from all threats by en- 
suring the integration of physical and cyber security approaches in the Directorate’s 
Office of Infrastructure Protection. 

This integrated approach to physical and cyber threats and vulnerabilities enables 
us to consider the full range of risks to the Nation, including loss of life, disruptions 
of infrastructure services, economic impact, and national security implications. Rec- 
ognizing that future terrorist attacks may not be limited to either a physical or 
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cyber act, but rather a combination of the two to amplify impact, IP includes the 
National Cyber Security Division, the Protective Security Division, the Infrastruc- 
ture Coordination Division, and the National Communications System and is orga- 
nized to examine and address threats and vulnerabilities across the Nation’s infra- 
structure by using a five-step risk management methodology that measures the na- 
tional risk profile in the context, and absence, of threat information. The major 
steps of our risk management methodology include: 

• Identification of critical infrastructure 

• Assessing vulnerabilities 

• Normalizing, analyzing, and prioritizing protective measures 

• Implementing protective programs 

• Measuring effectives through performance metrics 

By performing each of these steps continuously across and within each critical in- 
frastructure sector, and by integrating threat information, we are continually im- 
proving our national critical infrastructure protection program — physical and 
cyber — and driving better correlation of protective programs to the dynamic threat 
environment. 

National Cyber Security Division Mission: Coordinating our National 
Cyber Security 

In support of the broader IAIP mission, the National Cyber Security Division was 
created in June 2003 to serve as a national focal point for the public and private 
sectors to address cyber security issues and to coordinate the implementation of the 
National Strategy to Secure Cyberspace released by the President in February 2003. 

Under that mandate, the National Cyber Security Division has been working 
closely with our partners in the federal government, the private sector, and aca- 
demia on a variety of programs and initiatives to protect our information infrastruc- 
ture. We recognize that the challenge is vast and complex, that the threats are 
multi-faceted and global in nature, that our strengths — and our vulnerabilities — lie 
in our interdependencies, that the environment changes rapidly, and that informa- 
tion sharing and coordination are crucial to improving our overall national and eco- 
nomic security. The activities of the National Cyber Security Division, then, are 
based on this understanding and are designed to address each of the priorities set 
forth in the National Strategy to Secure Cyberspace (“the Strategy”): 

Priority I: A National Cyberspace Security Response System 

Priority II: A National Cyberspace Security Threat and Vulnerability Reduction 

Program 

Priority III: A National Cyberspace Security Awareness and Training Program 

Priority IV: Securing Government’s Cyberspace 

Priority V:National Security and International Cyberspace Security Cooperation 

Meeting the Mandate: Readiness and Response 

The National Cyber Security Division’s primary overarching goal since its creation 
has been to enhance the Nation’s Cyberspace Security (Readiness and) Response 
System (Priority I) that will, where possible, deter and prevent a cyber attack from 
occurring, limit its scope and impact on the critical infrastructures, and expedite re- 
covery. In October 2003, we participated in Livewire, the first ever national-level 
cyber exercise to baseline our capabilities and communication paths for responding 
to national attack. The exercise involved over 300 participants representing more 
than 50 organizations across federal, state, and local governments and the private 
sector. Cyber attack simulation scenarios were developed to stress cyber inter- 
dependencies across our critical infrastructures and baseline our ability to collabo- 
rate across the public and private sectors. The information gleaned from Livewire 
validated the National Cyber Security Division’s approach and activities. In that 
context, I will outline the National Cyber Security Division’s accomplishments to 
date and discuss on-going and future programs that all serve to enhance our na- 
tional cyber security. 

When I appeared before the Subcommittee in September 2003, I announced the 
appointment of Mr. Amit Yoran as the Director of the National Cyber Security Divi- 
sion. Under his leadership, the Division is aggressively pursuing partnerships and 
programs and building a strong team to meet its objectives. I also announced the 
creation of the U.S. Computer Emergency Readiness Team, or US-CERT. US-CERT 
is a key component of our Cyber Security Readiness and Response System and the 
National Cyber Security Division’s operational arm. Through its initial partnership 
with the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, US- 
CERT provides a national coordination center that links public and private response 
capabilities to facilitate information sharing across all infrastructure sectors and to 
help protect and maintain the continuity of our Nation’s cyber infrastructure. The 
overarching approach to this task is to facilitate and implement systemic global and 
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domestic coordination of deterrence from, preparation for, defense against, response 
to, and recovery from, cyber incidents and attacks across the United States, as well 
as the cyber consequences of physical attacks. To this end, US-CERT is building 
a cyber watch and warning capability, launching a partnership program to build sit- 
uational awareness and cooperation, and coordinating with U.S. Government agen- 
cies and the private sector to deter, prevent, respond to and recover from cyber — 
and physical — attacks. 

One direct impetus of the Livewire exercise was to validate the importance of 
building a cyber information dissemination mechanism to reach our stakeholders. 
On January 28, 2004, the Department of Homeland Security through USCERT un- 
veiled the National Cyber Alert System, an operational system developed to deliver 
targeted, timely and actionable information to Americans to secure their computer 
systems. As the U.S. Government, we have a responsibility to alert the public of im- 
minent threats and to provide protective measures when we can, or least provide 
the information necessary for the public to protect their systems. The offerings of 
the National Cyber Alert System provide that kind of information, and we have al- 
ready issued several alerts and the initial products of a periodic series of providing 
“best practices” and “how-to” guidance. We strive to make sure the information pro- 
vided is understandable to all computer users, technical and non-technical, and re- 
flects the broad usage of the Internet in today’s society. I am pleased to report that 
Americans are exhibiting a keen interest in the alert system. On January 28th, the 
day we inaugurated the system, the US-CERT site received more than one million 
hits. Within the first few weeks, more than 250,000 direct subscribers received Na- 
tional Cyber Alerts to enhance their cyber security. For your reference and for your 
constituents, I urge you to visit www.us-cert.gov to subscribe to a number of our in- 
formation services to facilitate protecting your computer systems. As we increase its 
outreach, the National Cyber Alert System is looking at other vehicles to distribute 
information to reach as many Americans as possible. 

The Livewire exercise reiterated the critical need for government to share infor- 
mation and coordinate efforts at cyber incident preparation that enhance our effec- 
tiveness in responding to cyber activity. To facilitate preparation and interagency 
and public-private coordination during, and to recover from cyber incidents, we cre- 
ated a Cyber Interagency Incident Management Group, or Cyber IIMG. The Cyber 
IIMG coordinates intra-governmental preparedness and operations to respond to, 
and recover from, cyber incidents and attacks. The group brings together senior offi- 
cials from national security, law enforcement, defense, intelligence, and other gov- 
ernment agencies that maintain significant cyber security capabilities that they can 
bring to bear in response to an incident and, importantly, possess the necessary 
statutory authority to act. By meeting monthly, the Cyber IIMG is developing cyber 
preparedness and response plans that will help it to support the IIMG during na- 
tional events with cyber implications, and ensure that during a cyber crisis the full 
range and weight of federal capabilities are deployed in a coordinated and effective 
fashion. 

To enhance the level of communication among federal agencies in a crisis, DHS’ 
IP is continuing to widen the reach of the Critical Infrastructure Warning Informa- 
tion Network, or CWIN. For those who are not familiar, CWIN is a technologically 
advanced, secure network for infrastructure protection, communication and coopera- 
tion, alert, and notification. As a private communications network, CWIN serves as 
a reliable and survivable network with no logical dependency on tbe Internet or the 
public switched network. In the event a significant cyber attack disrupts our tele- 
communications networks and/or the Internet, CWIN provides a secure and surviv- 
able capability for members to communicate. It is important for us to understand 
and prepare for any contingency. In this vein, DHS is extending the reach of 
CWIN’s survivable architecture beyond federal agencies by working with critical pri- 
vate sector companies to establish CWIN nodes at their Network Operations Cen- 
ters. The goal is to increase the number of CWIN nodes to 100 by the end of 2004, 
making it a robust and resilient capability that supports national cyber operations 
and response during times of crisis. 

Key components of the National Cyber Security Division’s efforts are laid out in 
Priority IV of the Strategy: Securing Government’s Cyberspace. Consistent with law 
and policy, the National Cyber Security Division works with the Office of Manage- 
ment and Budget and the National Institute of Standards and Technology regarding 
the security of federal systems and coordinates with federal law enforcement au- 
thorities as appropriate. We have taken great steps to integrate existing frameworks 
into the system, such as the continued functionality of the Federal Computer Inci- 
dent Response Center (FedCIRC) is being transitioned within US-CERT, as well as 
to create a new forum for coordination toward greater cyber security in the federal 
government. 
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We have also broadened our interagency partnerships to create two new groups 
addressing the various challenges before us. The first is the Chief Information Secu- 
rity Officers Forum (CISO Forum), established to provide a trusted venue for our 
government information security officers to collaborate and share effective practices, 
initiatives, capabilities, successes and challenges. The second is the Government 
Forum of Incident Response and Security Teams (GFIRST), a group of technical and 
tactical practitioners of security response teams responsible for securing Govern- 
ment information technology systems. GFIRST members work together to under- 
stand and handle computer security incidents and to encourage proactive and pre- 
ventative security practices. The purpose of the GFIRST peer group is to: 

• Provide members with technical information, tools, methods, assistance and 
guidance; 

• Coordinate proactive liaison activities and analytical support; 

• Further the development of quality products and services for the federal gov- 
ernment; 

• Share specific technical details regarding incidents within a trusted U.S. Gov- 
ernment environment on a peer-to-peer level; and 

• Improve incident response operations. 

The National Cyber Security Division has taken on aggressive plans for acceler- 
ated information sharing and collaboration efforts in both the ClSO Forum and 
GFIRST. Already, both groups have increased information sharing horizontally 
across previously somewhat stove-piped organizations and improved the overall 
cyber preparedness of the U.S. Government. 

Meeting the Mandate: Assessment mid Analysis 

A major component of the National Cyber Security Division’s mission is our focus 
within the Office of Infrastructure Protection to coordinate efforts on physical and 
cyber threat and vulnerability identification and assessment, and the implementa- 
tion of protective measures to reduce vulnerabilities that will enable IAIP to system- 
ically address the security status of U.S. networks and the cyber components and 
dependencies of our critical infrastructures. This effort directly responds to the calls 
in the Strategy and HSPD 7 to: 

• Develop a National Infrastructure Protection Plan; 

• Complete and maintain a critical cyber asset inventory; 

• Implement and expand standard methodologies to perform threat, risk, and 
vulnerability assessments; 

• Develop and maintain an interdependency analysis capability to systemati- 
cally understand the relationships between cyber and physical assets; and 

• Identify and implement priority protective measures to mitigate 
vulnerabilities. 

The National Cyber Security Division currently houses a number of operational, 
data analysis, and other diagnostic tools to assist in assessing our vulnerabilities. 
The US-CERT is developing a comprehensive Watch Operation that will provide a 
24x7 single point of contact for national cyber incident detection, evaluation, re- 
sponse, coordination, and restoration. Some key tools that US-CERT funded and/ 
or executed include: 

• Common Vulnerability and Exposures (CVE), a dictionary of standard names 
for vulnerabilities that makes it possible to correlate information across vendor 
products 

• Malware Analysis, a laboratory operation performing detailed analysis and 
characterization of malicious code to adequately notify the Government of spe- 
cific dangers and threats to the critical infrastructure 

• Security Analysis Program (SAP), a set of analysis tools and capabilities of- 
fered through US-CERT to (1) help agencies better monitor network security 
activity; (2) assist agencies in identifying configuration problems, unauthorized/ 
unnecessary network traffic, network backdoors, and routing anomalies; and (3) 
gain better global situational awareness of network health and malicious activ- 
ity. The use of these tools by the federal civilian agencies represents one way 
that we are transferring technology used by the military to increase our overall 
capabilities. 

As part of our efforts to improve our situational awareness and analysis capabili- 
ties, the National Cyber Security Division is coordinating with the National Com- 
munications System (NCS) on the Global Early Warning Information System 
(GEWIS). GEWIS is an effort underway within IAIP to find a wide variety of 
sources, including open source and approved private information, which can be ana- 
lyzed to provide better situational awareness of the Internet and its underlying in- 
frastructures. GEWIS will allow DHS to assess the health of the Internet in a 
timelier manner and, as a result, coordinate with the appropriate stakeholders in 
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responding to Internet events. GEWIS is currently being used by IP in conjunction 
with other resources to provide the current situational awareness capability. GEWIS 
is continuing to evolve, and over time will provide enhanced functionality. 

Meeting the Mandate: Awareness, Outreach, and Cooperation 

So far I have discussed the accomplishments we have made in readiness and re- 
sponse, assessment, analysis, and warning efforts at the National Cyber Security 
Division. Another major component of our work lies in the outreach and awareness 
programs that support every aspect of our efforts to improve and sustain cyber secu- 
rity. The Strategy clearly identifies the users and stakeholders in cyber security in 
Priority III as home users and small business, large enterprises, institutes of higher 
education, the private sectors that own and operate the vast majority of the Nation’s 
cyberspace, and state and local governments. In Priority V, the Strategy also em- 
phasizes that international cooperation is crucial to protecting ourselves in a world 
where attacks cross borders at light speed. The following components make up the 
National Cyber Security Division’s outreach and awareness programs and serve as 
the basis for our recently initiated Partnership Program. 

One of our most important constituencies is the private sector. It is estimated that 
eighty-five percent of Americas critical infrastructure is owned and operated by pri- 
vate companies, and technology developed by industry continues to fuel the growth 
and evolution of the Internet. In December 2003, the National Cyber Security Divi- 
sion co-hosted the first National Cyber Security Summit in Santa Clara, California 
with the Information Technology Association of America, TechNet, the Business 
Software Alliance, and the U.S. Chamber of Commerce. This event was designed to 
energize the public and private sectors to implement the National Strategy to Secure 
Cyberspace. The Summit allowed the Department of Homeland Security to work 
side-by-side with leaders from industry to address the key cyber security issues fac- 
ing the Nation. Five interest areas were established to focus specifically in the areas 
of: 

• Increasing awareness 

• Cyber security early warning 

• Best practices for information security corporate governance 

• Technical standards and common criteria 

• Security across the software development lifecycle 

Perhaps most importantly, the Summit served as a call to action. It represented 
a logical transition point from developing a national strategy to energizing the pub- 
lic-private partnership to implement concrete, measurable actions to improve the se- 
curity of America’s cyber systems. The efforts of these working groups as well as 
those of other industry leaders will be vital as we move forward in implementing 
the National Strategy. 

In addition to the National Cyber Security Summit, the National Cyber Security 
Division is working with a host of groups to better understand and address their 
cyber security issues and concerns. These groups include, among others, the Presi- 
dent’s National Infrastructure Advisory Council, the President’s National Security 
Telecommunications Advisory Committee, and the private sector Information Shar- 
ing and Analysis Centers (ISAC). As a result of the working relationships that have 
been developed among state and local cyber security representatives, we are also fa- 
cilitating a multi-state ISAC that will even further enhance information sharing at 
the state and local levels. 

The National Cyber Security Division is also working closely with the research 
and academic communities to better educate and train future cyber analysts. We are 
participating in the National Science Foundation’s Scholarship for Service, or “Cyber 
Corps” program as well as the National Security Agency’s fifty Information Assur- 
ance Centers for Academic Excellence in twenty-six states. We are looking at a num- 
ber of additional ways to raise cyber security awareness in our educational and pro- 
fessional programs, including exploring the K-12 curriculum with the Department 
of Education and exploring the possibility for the private sector to create inde- 
pendent information technology certification programs for IT security professionals. 

A crucial role for the National Cyber Security Division is to cooperate and lever- 
age expertise within the Department of Homeland Security. Within IP, the National 
Cyber Security Division coordinates with the Protective Security Division (PSD) on 
our physical and cyber interdependencies and activities. In addition, it works closely 
with the National Communications System (NCS), which runs the CWIN program 
and the Global Early Warning Information System (GEWIS) described above, and 
brings NCS’s telecommunications system expertise to its efforts. Through its inte- 
grated approach to addressing the critical infrastructure, the Office of Infrastructure 
Protection also coordinates efforts with the 13 critical infrastructure sectors laid out 
in HSPD 7 and their respective Information Sharing and Analysis Centers (ISACs). 
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The National Cyber Security Division coordinates closely with IP’s Infrastructure 
Coordination Division on the cyber elements of their efforts. 

In addition to our coordinated work within IP, the National Cyber Security Divi- 
sion works with a number of other DHS organizations. Close linkage between the 
Office of Infrastructure Protection and the Office of Information Analysis, led by As- 
sistant Secretary Patrick Hughes, promotes the ability to map threat information 
with cyber vulnerabilities. This mapping allows for the effective prioritization of po- 
tential risks so agencies may implement remediation efforts as quickly as possible 
to limit the impact of computer incidents. 

The technology that drives cyber security needs and product demands develops 
very rapidly in today’s environment. Therefore, IAIP and the Science and Tech- 
nology Directorate (S&T) are working together to coordinate research and develop- 
ment activities in the important areas of critical infrastructure protection and cyber 
security. A program of regular, interactive meetings between the two directorates 
ensures a two-way flow of information and coordination of technical activities. S&T’s 
cyber security portfolio scope and activities are driven by the threats and issues that 
warrant national-level concerns, including cyber attacks by hostile adversaries 
against the Nation’s critical infrastructures, or attacks whose consequences are of 
sufficient magnitude to cause widespread economic or social disruptions. The Na- 
tional Cyber Security Division provides important input regarding the research and 
development requirements for S&T’s cyber security portfolio based on its activities 
and insight into the needs for greater protection of our cyber systems. Initial tech- 
nical emphases for the Cyber Security Portfolio include: 

• Improving the security of Internet infrastructure protocols and developing mi- 
gration paths for these protocols into commercial use; 

• Research, development, testing, and evaluation investments aimed at next- 
generation cyber security technologies aimed at prevention of and protection 
against attacks; threat identification and tracking; monitoring, detection, and 
attribution of attacks; and immediate as well as longer-term response to at- 
tacks; 

• Economic assessment and modeling to support the development of business 
cases for cyber security in addition to providing a foundation for risk-based 
cyber security decision making. 

I have addressed many of our national efforts, but I want to emphasize our inter- 
national partnership efforts as well. As the Strategy says, “America’s cyberspace is 
linked to that of the rest of the world.” Cyberspace is truly borderless, and our com- 
munications networks are inarguably interconnected. We need to defend our sys- 
tems from the outside, but we can only do so with global cooperation and coordina- 
tion. Therefore, the National Cyber Security Division’s Partnership Program in- 
cludes outreach and advocacy efforts with our global partners, through US-CERT 
outreach activities and in bilateral and multilateral discussions in conjunction with 
the Department of State, the Department of Justice, and the Department of De- 
fense. 

The National Cyber Security Division is only nine months old, but these initia- 
tives represent considerable progress toward making cyber security a reality and re- 
flect our collective commitment to do more. Each accomplishment fosters further ac- 
tivity, which we have outlined in our FY 2005 budget request. 

National Cyber Security Division Budget Request FY 2005 

The National Cyber Security Division Budget Request of $ 79 million for the fiscal 
year 2005 is based on the on-going and future activities necessary to meet our mis- 
sion. The budget plan is organized around National Cyber Security Division’s pro- 
gram initiatives in (1) Readiness and Response; (2) Strategic Initiatives; (3) Informa- 
tion Sharing and Coordination; and (4) Management and Administration. Please let 
me highlight some key initiatives in the plan. 

Readiness and Response 

The core building block for an effective National Cyberspace Security Readiness 
and Response System is the U.S. Computer Emergency Readiness Team (US- 
CERT). 

US-CERT will require full funding of $59.3 million for its various existing and 
projected programs, including sustaining and improving the GEWIS, CWIN, Watch, 
and other programs described above. In its inaugural year, US-CERT is making sig- 
nificant progress in establishing critical operational capabilities and building key re- 
lationships within government, private industry, and academia. To further these ad- 
vancements, FY05 will be a significant year for the US-CERT to continue building 
and enhancing present capabilities into even more responsive and robust ones. 

Strategic Initiatives 
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The National Cyber Security Division’s Vulnerability Assessment and Reduction 
Program in response to HSPD 7 is a central aspect of its Strategic Initiative endeav- 
ors, and the requested funding of $7.0 million will build upon the initial efforts un- 
dertaken in FY03 and FY04. Additional aspects of the Strategic Initiatives program 
include software assurance efforts, continued awareness and training efforts, and a 
series of tabletop and other exercises including a second Livewire exercise, our par- 
ticipation in the National-Level Exercise Program, and a planned set of cyber-spe- 
cific tabletop exercises at the State and local level. 

Information Sharing and Coordination 

A critical aspect of the National Cyber Security Division’s activities is outreach 
to the public and private stakeholders in the U.S. and interaction with global part- 
ners. $8.7 million will be used to support a variety of public awareness campaigns 
and outreach efforts — such as continued support of the Stay Safe Online campaign — 
as called for in the Strategy. IAIP will also build and expand international partner- 
ships to raise cyber security awareness and cooperation to promote a global culture 
of security. Most importantly, it accomplishes the operational partnership executive 
of information sharing and collaboration. 

Management and Administration 

The National Cyber Security Division is building a significant team of technical 
and security experts and determining the infrastructure it needs in support of its 
numerous initiatives toward greater national cyber security. 

Conclusion 

The creation of the National Cyber Security Division reflects the recognition that 
we as a Nation are utilizing sophisticated information networks to increase produc- 
tivity, encourage innovation in products and services, enhance daily lives, and com- 
municate globally in an instant. Importantly, we are also using these innovations 
to enhance our national and economic security, facilitate our law enforcement and 
public safety efforts, and protect our individual privacy. As technology has devel- 
oped, we have found more exciting ways to use it, and we have become increasingly 
dependent on it. But, we have also acknowledged that its proliferation across our 
critical infrastructures — the very same proliferation that makes us more advanced 
as a society and an economy — also makes us vulnerable to those who would use it 
to harm us. IAIP, through the coordinated efforts of its component divisions includ- 
ing the National Cyber Security Division, is working diligently to address those 
vulnerabilities and provide greater security without stunting the growth and bene- 
fits of the digital economy for all Americans. We are approaching the next National 
Cyber Security Day this Sunday, and as Americans turn their clocks forward, we 
will also be urging them take the opportunity to review — and improve — their cyber 
readiness. 

In its short life, the National Cyber Security Division is positively exploiting the 
work of its predecessors, leveraging the existing expertise around it, and building 
crucial partnerships as part of DHS’ overall efforts to enhance the protection of our 
Nation’s critical infrastructures. We have addressed crucial operational components 
of our program and are improving them, and we are developing strategic plans for 
the future. We know we still have much to do and that it will take time, resources, 
dedication, energy, and hard work to succeed. We are committed to that challenge, 
and we look forward to future opportunities to update the Subcommittee on our 
progress. 

Again, thank you for the opportunity to testify before you today. I would be 
pleased to answer any questions you have at this time. 

Mr. Thornberry. Thank you. 

Now we turn to Mr. Steven Cooper, who is the Chief Information 
Officer for the Department of Homeland Security. 

STATEMENT OF STEVEN COOPER, CHIEF INFORMATION 
OFFICER, DEPARTMENT OF HOMELAND SECURITY 

Mr. Cooper. Mr. Chairman and members of the subcommittee, 
good morning. I am Steve Cooper, Chief Information Officer for the 
Department of Homeland Security. It is my pleasure to appear be- 
fore the subcommittee, and I wish to thank the chairman and 
members for providing me the opportunity to update you on our ef- 
forts and progress in integrating and securing information systems 
within the Department and to discuss the President’s fiscal year 
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2005 budget for information technology. I would request that my 
written testimony be entered into the record. 

Mr. Thornberry. Without objection, your testimony shall be in 
the record. 

Mr. Cooper. Thank you. 

The challenges facing those of us who comprise the information 
technology function of the Department of Homeland Security is 
complex. There are three major areas of focus. 

The first is to ensure that the women and men on the front lines 
of the Department have all of the information technology enabled 
solutions and tools they need to safeguard the United States and 
to deliver our safety and service-related operational functions and 
capabilities. The war on terrorism is real, and we must deliver new 
mission solutions with quality and speed in a cost effective manner 
while maintaining already existing mission solutions that we inher- 
ited when the Department was formed. 

The second area addresses the integration of IT enabled solu- 
tions. Guided by our enterprise architecture, we are identifying op- 
portunities to consolidate and streamline mission solutions. In mis- 
sion areas like threat identification and management, identity 
credentialing, in collaboration we have identified multiple solutions 
in use within the various organizational elements of the Depart- 
ment. Our goal is to help facilitate and support the operators and 
subject matter experts in our business units, and determine the op- 
timal number and nature of mission solutions needed. 

And the third area is to realize efficiency and economies of scale 
that the President and Congress have set forward when creating 
the Department of Homeland Security. Here, we must rapidly iden- 
tify and eliminate existing overlap or redundancy within our IT in- 
frastructure within the Department. However, we must ensure that 
we do no harm to mission solutions while we restructure and con- 
solidate our infrastructure. In this case, we really are changing the 
tires on the car while it is moving. 

In order to guide the information technology function in achiev- 
ing success in these three overarching focus areas, I have, in con- 
cert with our Department of Homeland Security CIO Council, set 
eight priority force the IT function. I would like to share these with 
the committee. 

Very quickly, they are: Information sharing, mission rationaliza- 
tion, IT portfolio management, information security, infrastructure 
transformation, enterprise architecture, IT governance, and IT 
human capital. 

These priorities are aligned with the strategic priorities of the 
Department set forth by Secretary Ridge and Deputy Secretary 
Loy. For each priority, we are in the process of developing a case 
for change, the business case, a road map that outlines the activi- 
ties, tasks, and deliverables needed to achieve the desired objec- 
tives and metrics by which we will measure success. I would like 
to highlight two of these eight. 

First is enterprise architecture. In my previous testimonies, I 
have discussed the vision of strategy of DHS and how that strategy 
must be supported by a disciplined capital planning investment 
control process that is guided by business-driven enterprise archi- 
tecture. With the release of the first version of enterprise architec- 
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ture in September 2003, we made progress toward the goal of 
achieving, one, Department of Homeland Security IT infrastruc- 
ture. Version 1 of the enterprise architecture describes a target in- 
formation management infrastructure that will be dramatically dif- 
ferent from the one we have today, one that will provide timely, ac- 
curate, useful, and actionable information to all individuals and 
stakeholders who require it all of the time. We believe this effort 
was truly unique in the Federal Government, and that we deliv- 
ered a comprehensive and immediately useful target enterprise ar- 
chitecture in less than 4 months. 

Version 1 of our enterprise architecture contributed to some of 
our investment decisions for fiscal year 2005. Work is currently 
under way on Version 2 of the enterprise architecture. This work 
will develop additional detail around the target architecture and 
enhance the transition strategy from Version 1 into a more detailed 
transition plan that will specifically enable the implementation of 
the target enterprise architecture. 

Version 2 is currently on track for completion by the end of this 
fiscal year. Along with continuing the hard work of developing 
greater detail, we will continue reaching deeper to find more oppor- 
tunities to consolidation and begin to develop new and improved 
mission support capabilities enabled by information technology. 

Version 2 of the enterprise architecture, together with the associ- 
ated transition plan, will serve as the basis for further improving 
DHS mission performance and facilitating information technology, 
alignment, integration, and consolidation. 

DHS is a new organization formed a little over a year ago from 
22 legacy agencies, each with their own culture, processes, and leg- 
acy information technology systems. Many of these legacy agencies 
had developed their own enterprise architectures prior to the estab- 
lishment of the Department. The challenge for us is to implement 
an integrated DHS enterprise architecture, bringing together the 
good work that has been done within each of the organizational ele- 
ments and, during that process, ensuring that the entire Depart- 
ment has the IT capabilities needed to accomplish our mission ca- 
pabilities every day. 

One challenge to achieving integrated homeland security enter- 
prise architecture is having enterprise architecture that is suffi- 
ciently mature to support detailed alignment and analysis for IT 
investment management decision making. We used Version 1 to 
identify what we called quick hits, and these are outlined in re- 
lease one of our enterprise architecture; we are currently devel- 
oping Version 2 to support more detailed investment decision mak- 
ing. 

Another potential challenge is overcoming resistance to change 
and obtaining management and organizational buy-in into our en- 
terprise architecture initiative. The Department has placed a very 
high priority on our efforts. Deputy Secretary Loy has directed the 
major organizational components of DHS to participate in the de- 
velopment of Version 2. As we speak, there are more than five dif- 
ferent business focus area teams comprised of subject matter ex- 
perts from across the Department working in facilitated team ses- 
sions to make sure that the business model for enterprise architec- 
ture Version 2 accurately and comprehensively captures the capa- 
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bilities and requirements needed to accomplish the Department’s 
mission. The extent of each organizational element’s participation 
in these business area focus teams is reported to the DHS Manage- 
ment Council and monitored on a bi-weekly basis. 

The development of an enterprise architecture is an enormously 
complex process requiring considerable resources and a systematic 
methodology. However, DHS has already made good progress in 
meeting the goals of our desired target enterprise architecture. We 
are well on our way to consolidating many of the management 
functions from each of the 22 agencies, including financial and 
human resources. We have reduced to 10, 19 financial management 
service providers. We have moved from 13 separate contracting of- 
fices to eight. We have moved from 22 human resource offices to 
seven. We have moved from eight different payroll systems to 
three, and department experts expect to reduce this to one by the 
end of the year. And we have moved from 22 property management 
systems to three. 

These are a few up-to-date examples of the progress we are mak- 
ing. It is, however, clear that we still have a long way to go. 

I would like to highlight our fiscal year 2005 budget request very 
quickly. 

Information contributes to every aspect of homeland security and 
is a vital foundation of the homeland security effort. My office has 
responsibility for providing IT leadership that will foster best man- 
agement practices in managing IT, enhance efficiencies through 
shared services and coordination of acquisition strategies, ensuring 
systems are properly accredited and certified as secure, and being 
an advocate for business transformation, all necessary toward en- 
suring that our homeland is more secure. The leadership and fund- 
ing provided through the Department’s IT investments are crucial 
for maintaining an enterprise architecture that is fully integrated 
with other management processes, and for allowing the Depart- 
ment to participate in many of our e-Gov initiatives across the 
Federal enterprise. 

The President’s budget request for fiscal year 2005 includes a re- 
quest for 226 million for departmentwide information technology 
investments. Included in the request is $95 million for information 
technology services, a portion of which will provide funding for the 
departmentwide geographic information system capability to im- 
prove the Department’s enterprise portal. This funding provides for 
continuation of our enterprise architecture and planning efforts to 
address our evolving financial management system, eMERGE2, 
and funding to enable the development, the beginning of the devel- 
opment of our human resources information technology solutions. 

Additionally, the request includes $31 million for information se- 
curity-related activities. 

Finally, the fiscal year 2005 budget request includes $100 million 
for wireless communications. 

I would like to highlight some key things related to one of our 
eight priorities in closing, and that is information security. 

Since its creation, the Department of Homeland Security has 
moved out aggressively to design and implement an information se- 
curity program that will not only ensure compliance with all appro- 
priate standards and regulations, but to also ensure that the entire 
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Homeland Security community has a secure and trusted computing 
environment from which to operate. The heart of our reporting 
structure is built around the congressional requirements expressed 
in FISMA, the Federal Information Security Management Act. In 
order to effect a comprehensive information security program, and 
in accordance with the provisions of FISMA, I have designated a 
Chief Information Security Officer who manages and oversees all 
the internal Homeland Security Department’s information systems 
security activities. The FISMA report details compliance with Fed- 
eral laws and policies and DHS information security policies and 
standards. DHS is in the process of implementing enterprise man- 
agement tools to ensure the accuracy and completeness of FISMA 
reporting across the Department. 

FISMA requires each agency to perform for each program and 
system periodic testing and evaluation of the effectiveness of infor- 
mation security policies, procedures, and practices. We do follow 
and will apply the Self-Assessment Guide for Information Tech- 
nology Systems from the National Institute of Standards and Tech- 
nology and as mandated by law. This self-assessment guide utilizes 
an extensive questionnaire which we have already begun using in 
delivering our first Department of Homeland Security report. 

I have selected a commercial off-the-shelf product called “Trusted 
Agent FISMA”. This is an automated enterprise based manage- 
ment tool that maintains FISMA reporting data from all of our 
components and their plans and activities that captures and tracks 
security weaknesses and associated corrective milestones. In addi- 
tion, it collects, processes, and stores all of the self-assessment in- 
formation in accordance with the NIST guidance. We have deployed 
this system throughout DHS and have generated our first quar- 
terly report. We expect this to improve the timeliness and accuracy 
of our reporting as this information is available real-time to the 
Secretary and other cognizant officials. 

I thank you again for the opportunity to testify before you today, 
and am pleased to answer questions that the committee may have. 

Prepared Statement of Steven Cooper, Chief Information Officer, U.S. 

Department of Homeland Security 

Mr. Chairman and Members of the Subcommittee: 

Good morning, I am Steve Cooper, Chief Information Officer for the Department 
of Homeland Security (DHS). It is my pleasure to appear before the Subcommittee, 
and I wish to thank the Chairman and Members for the providing me the oppor- 
tunity to update you on our efforts and progress in integrating and securing infor- 
mation systems within the Department and to discuss the President’s FY 2005 
budget request for Information Technology. I will also update the Subcommittee on 
our Enterprise Architecture program efforts. 

Enterprise Architecture 

In his proposal for creating the Department over a year ago the President high- 
lighted the use of enterprise architecture techniques to improve both the sharing 
and use of information. The President stated that the “development of a single en- 
terprise architecture for the department would result in elimination of the sub-opti- 
mized, duplicative, and poorly coordinated systems <and processes> that are preva- 
lent in government today. There would be rational prioritization of projects nec- 
essary to fund homeland security missions based on an overall assessment of re- 
quirements rather than a tendency to fund all good ideas beneficial to a separate 
unit’s individual needs even if similar systems are already in place elsewhere.” 

In my previous testimonies, I’ve discussed the vision and strategy of DHS and 
how that strategy must fulfill the President’s vision. Additionally, it must be sup- 
ported by a disciplined capital planning and investment control process that is guid- 
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ed by business-driven enterprise architecture. With release of the first version of the 
enterprise architecture in September 2003, we made progress toward the goal of one 
DHS infrastructure. Version 1 of the enterprise architecture describes a target infor- 
mation management infrastructure that will be dramatically different from the one 
we have today, one that will provide timely, accurate, useful and actionable informa- 
tion to all individuals who require it all the time. We believe this effort was truly 
unique in the federal government in that we delivered a comprehensive and imme- 
diately useful target enterprise architecture in less than four months. 

However, Version 1 of the Homeland Security Enterprise Architecture (HLS EA) 
defines the enterprise architecture at a conceptual level and outlines a general tran- 
sition strategy that must be broken down further for the architecture to be imple- 
mented. Version 1, which was published at the end of September 2003: 

• Identified common activities 

• Proposed conceptual projects 

• Proposed reusable business components 

• Proposed Technology Patterns 

• Began communications effort 

• Increased understanding of EA planning and integration 

• Increased the knowledge of the target architecture 

Work is currently under way on Version 2 of the enterprise architecture. This 
work will develop additional detail around the target architecture and enhance the 
transition strategy from Version 1 into a more detailed transition plan that will 
more specifically enable the implementation of the target enterprise architecture. 
This effort currently consists of 5 business teams composed of about 45 business 
people charged with the responsibility of decomposing the common business activi- 
ties. During this effort for Version 2, we will: 

• Verify and augment transitional projects 

• Verify and augment reusable business components 

• Verify and augment technology patterns 

• Prepare an HLS-EA Framework that identifies the products that will be pro- 
duced by the department and that are expected to be produced by the Transi- 
tional Project Managers 

• Prepare governance procedures and bodies to ensure alignment with the 

HLS-EA 

• Ensure the integration of the transitional projects 

Concurrently with the Version 2 effort, the enterprise architecture team is work- 
ing with several large project offices, e.g., ACE and US-VISIT, to determine align- 
ment to the transition strategy so that these project offices can immediately begin 
building to the target architecture. 

Version 2 is currently on track for completion early in the 4th quarter, FY04. 
Along with continuing the hard work of developing greater detail, we will continue 
reaching deeper to find more opportunities for consolidation and opportunities to de- 
velop new and improved mission support capabilities enabled by information tech- 
nology. Version 2 of the enterprise architecture, together with the associated transi- 
tion plan, will serve as the basis for further improving DHS mission performance 
and facilitating IT alignment, integration, and consolidation. 

Technical Reference Model Status 

In Version 1 of the EA, we developed the DHS Technical Reference Model (TRM) 
by extending the TRM from the Office of Management and Budget Federal (OMB) 
Enterprise Architecture (FEA). The value of the TRM is to provide a common set 
of terminology for describing and organizing technology. We are currently working 
on further developing the DHS TRM by improving the structure of technology cat- 
egories so that they promote consistency and are more meaningful across the De- 
partment. 

In addition, we have made progress on filling in the Standards Profile (SP). The 
Standards Profile provides guidance to the components and major programs on what 
technologies to use to implement solutions to ensure consistency and interoper- 
ability with other solutions within the Department and the homeland security com- 
munity. Our approach is to collect all of the technology standards from the compo- 
nent CIO offices and to organize them into the revised TRM for analysis. In many 
cases, the standards in place are consistent across the components and these con- 
sensus standards will be adopted as the Departmental standard. Standards that are 
adopted fall, generally, into four categories: Move-to, Divest, Hold, or Contain. As 
part of the process, we have assigned “stewardship” of specific standards to individ- 
uals within my ClO shop or to other appropriate individuals in the Department. As 
the standards are developed, they reviewed by the Applied Technology Working 
Group, in accordance with the EA Governance Process as a part of the IT strategic 
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management framework, and are adopted by the Enterprise Architecture Board 
(EAB). 

One particular area where the TRM from the EA Version 1 has been useful is 
in guiding investment in IT is in the area of “technology patterns.” Patterns are re- 
peatable solutions to recurring technical challenges that are based on best practices, 
typically from industry. In Version 1 of the EA, we identified over a dozen patterns 
that have significant applicability within the Department. As a result, one of the 
major business/IT initiatives within the Department, the eMERGE 2 program of the 
Resource Management Transformation Office (RMTO) has adopted the pattern ap- 
proach and is in the process of acquiring technologies that implement several of the 
patterns identified. These patterns and technologies will form a technology founda- 
tion for other programs to leverage. 

Implementation of “Quick Hits” 

Definitions for the Quick Hits, foundational elements and activities that had to 
be in place to support achievement of an integrated enterprise architecture, have 
been completed and stewards have been recommended. The Quick Hits have begun 
to be integrated into existing projects. For example, RMTO will soon begin imple- 
menting some of the technology patterns included in the Technology Patterns Quick 
Hit. The Consolidated Enforcement Environment (CEE) project has formed a case 
management working group and is incorporating the Standardized Investigation 
Case Management Quick Hit into their plans and will be coordinating with the De- 
partment of Justice on a long term solution. The One Face at the Border initiative 
met the requirements for the Integration POE Workforce Quick Hit. The Office of 
Infrastructure Management, within the DHS CIOs office, is working toward Net- 
work Integration as part of their One DHS Infrastructure project. 

Challenges Achieving an Integrated Enterprise Architecture, Timelines and Imple- 
mentation 

DHS is a new organization, formed a little over a year ago from 22 legacy agen- 
cies, each with their own culture, processes, and legacy IT systems. Many of these 
legacy agencies had begun development of their own Enterprise Architectures prior 
to the establishment of DHS. The challenge for DHS is to implement an integrated 
DHS Enterprise Architecture while ensuring that, during the process, the entire De- 
partment has the IT capabilities needed to accomplish the mission. 

One challenge to achieving an integrated HLS EA is having an EA that is suffi- 
ciently mature to support detailed alignment and analysis for IT investment man- 
agement decision-making. As I’ve noted previously, DHS developed Version 1 of the 
DHS EA in 4 months ending in September 2003. We also used Version 1 to identify 
Quick Hits and we are currently developing the HLS EA version 2, to support IT 
investment management. 

Another potential challenge is overcoming resistance to change and obtaining 
management and organizational buy-in into the EA. The Department has placed a 
very high priority on the HLS EA. Deputy Secretary Loy has directed the major or- 
ganizational components of DHS to participate in development of Version 2 of the 
DHS EA. As we speak, there are more than 5 different Business Focus Area Teams, 
composed of subject matter experts from across the Department, working in facili- 
tated team sessions to make sure that the business model for EA Version 2 accu- 
rately and comprehensively captures the capabilities needed to accomplish the De- 
partment’s mission. The extent of each organizational element’s participation in 
these Business Area Focus Teams is reported to the DHS Management Council and 
monitored on a bi-weekly basis. 

The development of an EA is an enormously complex process. The goal was to 
produce a foundation for enabling DHS to make decisions about DHS investments 
immediately and to begin to direct its resources away from stove-piped, duplicative 
systems and move to interoperable, enterprise wide systems providing improved 
mission capability. Although Version 1 of the EA is relatively conceptual in nature, 
it does provide a foundation for implementation. As noted, DHS has been using the 
principles and transition strategy as a basis for beginning to redirect resources from 
current investments. 

As we speak, DHS is working on Version 2 of the EA. This version will include 
a transition plan that will be completed in June 2004. Version 2 will continue to 
build on the hard work of the first version by developing greater detail, reaching 
deeper to find more opportunities for consolidation, and establishing a consolidated 
framework for meeting mission need. 

One of the difficulties in expediting implementation of such a major change, such 
as EA, is the degree to which that change can be managed and accepted by an orga- 
nization. However, DHS has already made significant progress in meeting the goals 
of the EA. We are well on our way to consolidating many of the management func- 
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tions from each of the 22 agencies, including financial and human resources sys- 
tems. 

• 19 financial management service providers were reduced to 10 

• separate contracting offices were reduced to 8 

• 22 human resource offices were reduced to 7 

• 8 different payroll systems were reduced to 3 and DHS expects to reduce this 

to one by the end of the year. 

• 22 property management systems have been consolidated to 3. 

These are just a few of the examples of progress. And it is clear we still have a 
long way to go. 

One of the first things we need to do is implement a full governance structure 
with enforcement authority to ensure that investments are aligned with the stra- 
tegic goals. We have already made progress in this area. This week the DHS Enter- 
prise Architecture Board (EAB)is open for business. The EAB is charged with the 
responsibility of reviewing all investments for their alignment to our EA. What this 
means is that all investments going through the FY06 budget process will have to 
demonstrate that it is achieving the goals of our transition strategy and that it is 
aligned to the technology standards identified in the EA. This will mean that the 
EAB will be responsible for reviewing nearly 300 investments this year. That is a 
daunting task for an organization. 

Another area we could focus on to expedite the implementation is to increase the 
number of working groups focusing on specific areas within DHS that support the 
DHS mission. Currently, DHS has the Resource Management Transformation Office 
(RMTO), which is consolidating an enterprise solution for DHS administrative func- 
tions, such as accounting, acquisition, budgeting, grants, and procurement. 
Department-wide Information Technology Investments Budget Request FY 
2005 

Information contributes to every aspect of homeland security and is a vital foun- 
dation for the homeland security effort. My office has responsibility for providing IT 
leadership that will foster best management practices in managing IT, enhance effi- 
ciencies through shared-services and coordination of acquisition strategies, ensuring 
systems are properly certified and accredited as secure, and being an advocate for 
business transformation, all necessary toward ensuring the homeland is made more 
secure. The leadership and funding provided through the Department’s IT invest- 
ments are crucial for maintaining an enterprise architecture that is fully integrated 
with other management processes, and for allowing DHS to participate in many E- 
Gov Initiatives. 

The President’s budget request for FY 2005 includes a request for $226 million 
for Department-wide Information Technology Investments. Key strategic issues in 
FY 2005 will be to build and expand upon the foundational work completed in FY 
2003 and FY 2004; to facilitate consolidation of management function capabilities; 
to lead the implementation of the Department’s Enterprise Architecture; and, to 
continue to coordinate information integration efforts within DHS. 

Included in the request is $95 million for Information Technology Services, a por- 
tion of which will provide funding for the Department-wide Geographic Information 
System (E-GIS) capability; to improve the Department’s Enterprise Portal; this 
funding provides for continuation of the DHS Enterprise Architecture and planning; 
evolving the Financial Management System, eMERGE 2 ; and, development of the 
Human Resources information technology solution. 

Additionally the request includes $31 million for Security activities, which will 
provide funding for continuation of the Homeland Security Information Technology 
and Evaluation program; and for continued support of terrorist information integra- 
tion and sharing. 

Finally, the FY 2005 request includes $100 million for Wireless Communications, 
which includes funding for enhancement of the Integrated Wireless Network (IWN) 
and Tech Ops Support. The Expanded IWN initiative expands to other DHS agen- 
cies the pre-existing Justice-Treasury IWN partnership established prior to the in- 
ception of the Department of Homeland Security (DHS), and which includes mobile 
radio (MR) and the application of emerging technologies as it pertains to domestic 
law enforcement and counter/anti-terrorist operations (including missions in the 
U.S. Territories), tactical communications, legacy systems support, and airborne and 
non-Coast Guard marine communications. It also continues the funding for the 
SAFECOM project. 

Information Security 

Since it’s creation, the Department of Homeland Security has moved out aggres- 
sively to design and implement an Information Security Program that will not only 
ensure compliance with all appropriate statutes and regulations, but to also ensure 
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that the entire Homeland Security community has a secure and trusted computing 
environment from which to operate. The heart of our reporting structure is built 
around the congressional requirements expressed in the Federal Information Secu- 
rity Management Act known as FISMA. In order to effect a comprehensive Informa- 
tion Security Program and in accordance with the provisions of FISMA, I have des- 
ignated a Chief Information Security Officer (CISO) who manages and oversees all 
of the internal Homeland Security Department’s Information Systems Security ac- 
tivities. 

Due to the comprehensive nature of the FISMA reporting requirements, and to 
avoid duplication of effort, DHS uses the FISMA reports to satisfy the annual re- 
quirement to verify to the Secretary the status of the Information Security Program. 
Additional mechanisms, such as program briefings, status information and incident 
reports ensure continuous visibility to the Secretary throughout the year. 

The FISMA report details compliance with Federal laws and policies and DHS in- 
formation security policies and standards. DHS is in the process of implementing 
enterprise management tools to ensure the accuracy and completeness of FISMA re- 
porting across the Department. 

FISMA requires each agency to perform for each program and system “periodic 
testing and evaluation of the effectiveness of information security policies, proce- 
dures, and practices” annually. NIST SP 800-26, Self-Assessment Guide for Informa- 
tion Technology Systems, is the required self-assessment guide required by OMB 
policy. This, self-assessment guide utilizes an extensive questionnaire (containing 
specific control objectives and suggested techniques which the security of programs 
and systems can be measured. OMB’s FISMA implementing guidance also requires 
agencies to maintain a Plan of Action and Milestones process that captures and 
tracks security weaknesses, and associated corrective milestones. 

I have selected a Commercial off the Shelf Product called “Trusted Agent FISMA”. 
This is an automated enterprise based management tool that maintains FISMA re- 
porting data from all our components and their POA&M’s that will capture and 
track security weaknesses and associated corrective milestones; in addition it will 
collect, process and store self-assessment information in accordance with NIST SP 
800-26. We have deployed this system throughout DHS and have generated our 
first quarterly report. We expect this to improve the timeliness and accuracy of our 
reporting as this information is available real-time to the Secretary and other cog- 
nizant officials. 

With this tool we will be able to focus our compliance and as well as leverage the 
effort of the DHS Inspector General to corroborate the accuracy of the FISMA infor- 
mation and improve the compliance stature of the department. 

I thank you again for the opportunity to testify before you today and I am pleased 
to answer any questions you may have. 

Mr. Thornberry. Thank you. 

I will yield my time to the chairman of the full committee, Chair- 
man Cox. 

Mr. Cox. Thank you, Mr. Chairman. I take it that you mean you 
are simply postponing your own opportunity? 

Mr. Thornberry. There may be another chance. 

Mr. Cox. I hope you do not yield your time entirely. 

I want to join in welcoming our witnesses, and thank you very 
much for your leadership in the Department, for being up here 
today, and for keeping us apprised of what you are doing. As you 
know, we are keenly interested, in fact most members of the sub- 
committee have been keenly interested in cyber as a priority since 
we were developing the Homeland Security Act in Congress. And 
we want to make sure that it gets all the attention that it deserves, 
and I know that you are doing that. 

Let me begin by asking just what I hope is a trivial question. I 
am just trying to do the math in the testimony: That the $79 mil- 
lion dollar request for cyber; of that, 75 percent is going to the pro- 
gram, 59.3. Then there was another 8.7 that goes to outreach and 
public awareness, and 7 million that goes to vulnerability assess- 
ments and reduction. That leaves, by my math, 4 million unac- 
counted for, and I just wondered where it went. 
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Mr. LISCOUSKI. Sir, if you would permit me to get back in writing 
on that so I can do the math myself, I am sure we can provide to 
you the balance of where that $4 million is. 

Mr. Cox. It may be undistributed overhead. I don’t know. 

Mr. Liscouski. I could look through this, but I would prefer to 
get back to you in writing, if I may, sir. 

Mr. Cox. Okay. Given the important role, as you outlined, Mr. 
Liscouski, in your testimony for the Computer Emergency Readi- 
ness Team, the CERT, the component of your efforts, how should 
we assess the other watch centers within DHS? There are several 
of them. If we are interested in consistency and overall cyber spec 
reporting, shouldn’t we be concerned? Or should we welcome the 
fact that we have, for example, the IP National Communications 
System operating a 24/7 telecommunications watch center; we have 
also within IP Cybersecurity Division operating a 24 by 7 cyber 
watch center; we also have within IP the Infrastructure Coordina- 
tion Division operating a 24/7 watch for physical and cyber report- 
ing. We have within IA a 24/7 Homeland Security Op Center with 
a dedicated cyber watch desk. We have Mr. Cooper, in your shop, 
a Cybersecurity Incident Response Center. And, we have at Secret 
Service a 24/7 watch operation for electronic crimes. 

Mr. Liscouski. Sir, and thank you for the question. Let me get 
some clarity to the operations overall in terms of how the integra- 
tion of the watch centers is being performed. 

The legacy organizations that came in to us from Secret Service, 
from NCS that — and the Fed CIRC, that represent some of the 
watch centers you just articulated. With respect to the Fed CIRC, 
the NCC, the ones we have created with the HSOC, I will just 
quickly try to outline what those capabilities and mission require- 
ments are and tell you how they are integrating. 

The HSOC, the Homeland Security Operations Center is a 24 by 
7 watch center that on behalf of DHS or at large it provides situa- 
tional awareness across all of our enterprise, across the entire 
United States, integrates information to ensure that we understand 
from all hazards what is going on at any given point in time. Infor- 
mation piped into that HSOC is analyzed, understood in the con- 
text of is it threat information, is it incident data? And then we 
share with the respective elements of DHS to ensure that the ap- 
propriate actions are followed upon. 

In the context of other situational awareness types of watch cen- 
ters, the ICD, the Infrastructure Coordination Division, is ulti- 
mately responsible for the coordination of activities as it relates to 
infrastructure protection and monitoring what is going on across 
all of our infrastructure components irrespective of incidents. 

The distinction there is ICD is going to be creating — I will add 
one more acronym to you — the NICC, the National Infrastructure 
Coordination Center, which is going to be the amalgamation of all 
these watch centers. This is just an evolutionary process to the 
comment of not breaking it as we are building it. We do not want 
to denigrate the capability we have with existing watch centers as 
we are building the one amalgam capability that is going to re- 
spond to our situational requirements, very large infrastructure 
protection, which will mean the incorporation of the NCSD’s watch 
center, the NCC, the National Communication Coordination Cen- 
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ter, and other elements for infrastructure coordination, all under 
the ICD. 

The interconnectedness between the Homeland Security Oper- 
ation Center and the NICC is paramount for us. We are looking to 
augment the capabilities of the HSOC. We have NCSD and as well 
as other infrastructure protection components on the HSOC which 
are responsible for doing incident management real-time. 

The reach-back capability to determine what the impact of an in- 
cident may be is going to be through the Infrastructure Coordina- 
tion Division and, through that center, the NICC. And it is really 
reflective of the complex nature of all of our infrastructure compo- 
nents. Instead of creating one gigantic coordination center, we are 
really looking to leverage the capabilities that we have established 
through DHS to ensure that we have got the right expertise coming 
to the table at the right times to provide the answers as necessary. 

So it is not a redundant capability, sir, it is clearly an augmenta- 
tion of the capability, depending on what function they are serving 
at a given point in time. 

Mr. Cox. But I heard in what you said that you also are antici- 
pating further consolidation. 

Mr. Liscouski. That is correct, sir. We are consolidating the 
watch centers, the national, the NCS, the National Communica- 
tions System. The NCD’s watch center will be incorporated into the 
NICC. That is correct. 

Mr. Cox. How is my time, Mr. Chairman? 

Mr. Thornberry. The gentleman’s time has expired. 

Mr. Cox. All right. I thank the CHAIRMAN. 

Mr. Thornberry. Although the Chair is trying to be lenient. 

The gentlelady from California. 

Ms. Lofgren. Thank you, Mr. Chairman. 

I have had a chance to — although I didn’t have a chance to read 
your testimony, Mr. Cooper, I did have a chance to review your 
comments to the House Government Reform Committee in October 
of last year. And in that testimony, you had given your first draft 
of the Department Enterprise Architecture Plan, and you provided 
what I think you called a Quick Hit Project that you thought could 
be accomplished within 6 months. And some of those quick hits 
were integrating watch lists, network integration, developing exter- 
nal information sharing strategy, completing a feasibility study on 
integrating Immigration and Customs case management systems, 
and a number of others. 

Now, we don’t have teams of people auditing your department, 
but I don’t believe we yet have a unified watch list data base. And 
the Inspector General has told us that the lack of an agreed-upon 
IT infrastructure prevents the Office of Information Analysis Risk 
Assessment Division from communicating with State, local, and 
private sector partners, and that inhibits the exchange of informa- 
tion. And the IG also says that there is concern that the IAIP lacks 
connectivity to access sensitive data bases maintained in other Fed- 
eral agencies, which hampered their efforts to conduct business. 
And, you know, you can’t always believe what you read in the 
press, but Information Week has reported that your office has had 
problems handing over and receiving secured e-mail. 
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Can you provide us with an update and where we are on all the 
quick hits that you were going to get done by now? 

Mr. Cooper. I can give you an initial update, and I would like 
to also provide information in writing on all of the quick hits rep- 
resented in the first release of enterprise architecture. But let me 
address a couple that I think are very, very relevant to the points 
that you made. 

With regard to an integrated watch list and with regard to infor- 
mation sharing, the Secretary and the Deputy Secretary have al- 
ready initiated an information sharing program that is now under 
way within the Department. The business owner is General Frank 
Liboutti, who is our Under Secretary for Information Analysis and 
Infrastructure Protection. Under his guidance, he has named a pro- 
gram director, and a team has been established that has already 
begun work in addressing how we will move forward to better im- 
prove our connectivity and our ability to put in place a two-way ex- 
change of information with all of our stakeholders, both internal 
and external. 

Ms. Lofgren. Can I interrupt to try to understand? 

Mr. Cooper. Yes, ma’am. 

Ms. Lofgren. So this information sharing effort is only within 
the Department? Does it include the FBI and those agencies that 
are outside the Department? 

Mr. Cooper. Yes, ma’am. It will address the full national scope. 

Ms. Lofgren. It will but it does not currently? 

Mr. Cooper. It does not currently. We are in the early stages of 
formation, and the team exists and is now working through the 
various requirements for the different communities with which we 
must interact. 

Ms. Lofgren. When do you think that will be done? 

Mr. Cooper. Our expectation is to hit the deadline set for us by 
Under Secretary Liboutti, and that means that we will have a sig- 
nificant amount of this in place operational and done by the end 
of this calendar year. 

I also want to highlight that in the quick hits we have in place 
and operational what we are now calling our Homeland Security 
Information Network. We built off a program called JRIES, Joint 
Regional Information Exchange System, that is operational. It is in 
place. And we are rapidly expanding membership in that system 
and as part of our Homeland Security Information Network. In the 
next several months, we will expand from the current about 50 
participating State, local, and Federal partners who are already 
connected to probably about five times that number in the next 
several months. And, again, I will be more than happy to provide 
detailed program plans related to information sharing and building 
upon what is already operational. 

Ms. Lofgren. I see that I am just about to run out of time. But 
I would like to get, I am sure every member of the committee 
would want, a report on each one of the quick hits and the current 
status. Before — I guess my time has completely expired, so I will 
yield back to the chairman. I expect we will have a second round. 

Mr. Thornberry. I thank the gentlelady. 

The gentleman from Nevada. 

Mr. Gibbons. Thank you very much, Mr. Chairman. 
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Gentlemen, welcome to the committee. We are happy to have 
you. Your information has been extremely helpful to us. 

Cybersecurity is not new. It is something that not only your 
agency but other Federal agencies have been working on for dec- 
ades in some cases. If you could help us better understand how 
agencies like the NSA, National Security Agency, NGA, National 
Geospatial Intelligence Agency, the CIA, the DOD, all of those 
other agencies’ efforts have been or have not been, I don’t know 
what the answer will be, integrated into your effort in 
cybersecurity. How do you leverage their experience, their efforts, 
their work product over these many years to help you? 

Mr. LISCOUSKI. Thank you, sir. And there is a couple of different 
perspectives on the roles and responsibilities within those agencies 
and how they would integrate and how we partner up. 

DHS has got a protective mission and the protective mission we 
have in terms of looking at how we should best protect our critical 
infrastructure, the partnerships that we have got there clearly 
within the Intelligence Community and the NSA and the DOD spe- 
cifically are we actively leveraging those. We have got a very strong 
partnership with NSA across a number of fronts. Up until just re- 
cently, until a recent transfer, the Deputy Director of the NCSD 
was in fact an NSA detailee, and it provided tremendous oppor- 
tunity for us to leverage the experience that they have over the 
years of being able to gain an understanding of how to best protect 
those systems, and we are actively looking or looking forward to his 
replacement to come on board very shortly. Similarly, within DOD, 
who also has a protective mission for their dot-mil domain, we 
partner up with the Joint Task Force For Computer Network Oper- 
ations. We have a very robust exchange of information between our 
US-CERT and their operations center. We have got very good per- 
sonal relations as well as operational relationships with that agen- 
cy- 

On the offensive side, clearly within the domain of that realm, 
I speak at a very high level here, we are able to partner up with 
CIA and other Intel Community efforts to understand how they 
best look at their offensive mission to understand how we best need 
to look at our defensive mission based upon what the capabilities 
are out there. 

On the intel side, in terms of the threat assessments, as you may 
know, through our Information Analysis Office we use them as the 
portal back into the Intelligence Community. We regularly drive re- 
quirements into the Intel Community to better understand how we 
can best protect our networks and our Nation’s infrastructure from 
cyber threats. 

So it is really a multifaceted approach. I would say it is highly 
integrative from the standpoint of either through people, exchange 
of people, or through active exchange of information. 

Mr. Gibbons. Very quickly, who establishes the standards by 
which you integrate and take advantage of all of these multiple op- 
erations? Is there a common standard which is being established, 
and are you part of that? Do you control it, or is some other agency 
in control of the standard and definitions about how this 
cybersecurity program that you just described takes place? 
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Mr. Liscouski. Well, we have got the benefit of the Homeland 
Security Presidential Directive 7, which was signed by President 
Bush on December 17th of 2003, which provides us the framework 
for integration of all of the — real large for infrastructure protection, 
not just for cyber, to ensure that we have appropriate roles and re- 
sponsibilities laid out for that protection. We are actively engaged 
in framing out not just the strategy but the implementation of that 
strategy. It is a work in progress as we develop the plan we are 
implementing. But we are able to negotiate with respective sister 
agencies in the Federal Government as well as State and local and 
the private sector to understand how we have to, again from the 
total infrastructure protection picture, flesh out the responsibilities. 
Who is going to do what? What programs are necessary to be done? 
Where the gaps are? And, most importantly, from the perspective 
of outcomes, how do we measure the outcomes to ensure that we 
have effectiveness? That falls under the auspices of HSPD-7. I 
have direct responsibility for that. I have got a program office in 
my office to do this, and we are actively engaged in fleshing it out. 

Mr. Gibbons. One final quick question. What degree does the 
DHS enterprise architecture plan to marry up with the Federal en- 
terprise architectural efforts as well? 

Mr. Liscouski. I will defer to Mr. Cooper for that. But I will just, 
as a segue into that, is we are wholly dependent on Mr. Cooper’s 
efforts to provide us the backbone enterprise architecture for our 
operations. 

Mr. Cooper. It is aligned. Even before the Department was 
formed, we actually began working with the Federal enterprise ar- 
chitecture framework to both work with Dr. Haycock, who was 
guiding the charge under Norman Ranscript of the Office of Man- 
agement Budget, and we have continued that relationship since. So 
it is very much alive. 

And in those business areas that are critical to Homeland Secu- 
rity, we become, if you will, the lead agency. So as the work we do 
to populate the business processes, the informational requirements 
and then supporting technology, that flows into the Federal enter- 
prise architecture. 

Mr. Gibbons. Thank you, Mr. Chairman. My time has expired. 

Mr. Thornberry. I thank the gentleman. 

The gentlelady from the Virgin Islands. 

Mrs. Christensen. Thank you, Mr. Chairman, and I would like 
to welcome our two witnesses, also. 

Mr. Cooper, do you feel that your office has the sufficient author- 
ity to drive IT integration within the Department of Homeland Se- 
curity, even though you don’t have direct line authority over divi- 
sional chief information officers? And, if not, is there anything that 
we can do to strengthen that position, the position you hold within 
the Department of Homeland Security? 

Mr. Cooper. What I have done is to have created a Department 
of Homeland Security CIO Council, which is comprised of all of the 
named or titled CIOs who came into the Department with their re- 
spective agencies that now comprise the full Department. Addition- 
ally, I have asked the Chief Financial Officer and the Chief Pro- 
curement Officer to participate with us as full members of that 
council. Together, we have been participating in the investment re- 
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view process of the Department. That is under the guidance of the 
Under Secretary for Management and Under Deputy Secretary 
Loy. I believe that in concert we have been appropriately bringing 
forward the proper recommendations, the proper decision-making 
framework so that we can make adjustments, if necessary, in some 
of the alignment that we inherited with regard to legacy applica- 
tions and/or infrastructure investment. We will continue to learn, 
we will continue to grow, we will continue to refine these processes 
as rapidly as we can. 

Mrs. Christensen. And to what extent also does your office 
interact with other Federal agencies outside of DHS? 

Mr. Cooper. I personally participate in the Federal CIO Council. 
So there are regular meetings. I am also a member of the Execu- 
tive Committee of the Federal CIO Council. We draw upon the Fed- 
eral CIO Council for a lot of that interaction. Additionally, our 
Chief Technology Officer and our Deputy Chief Information Officer 
are also members of that committee. So the three of us participate 
very actively. 

Mrs. Christensen. Do you provide standards for the other agen- 
cies that are outside? 

Mr. Cooper. My office actually does not provide standards for 
other Federal agencies. But let me give you a real example of how 
it works. We, like other Federal Cabinet agencies, receive the direc- 
tion and guidance that are set by Mr. Liscouski’s area of responsi- 
bility, and we then apply, as all Federal CIOs would do, we apply 
that guidance and those standards, those accompanying standards 
within the Department of Homeland Security. 

Mrs. Christensen. Assistant Secretary Liscouski, last week we 
had a briefing from two of the private infrastructure organizations, 
the financial and telecommunications sectors. Could you tell us 
how your office interacts with the private sector? And early on, in 
the early days of the Department there seemed to be not an easy 
relationship, or there were problems that needed to be resolved. 
Could you talk about the relationship within your office and those 
private sector agencies? 

Mr. Liscouski. Yes, ma’am. We have a very aggressive outreach 
program with the private sector, and you are accurately portraying 
the relationships in the beginning. The legacy relationships that we 
inherited from the PDD-63 effort that ultimately authorized the 
establishment of the ISACs, the Information Sharing Analysis Cen- 
ters, didn’t allow for sufficient leadership and engagement at the 
private sector level to allow them to mature to a level of capability 
that would ensure that we had robust information sharing going 
both horizontally across information or industries as well as 
vertically back up to the government. 

The first couple of months we were engaged with the private sec- 
tor, we actively looked at that model to see how we could best le- 
verage it, and the first part of that was to determine the validity 
or the value of those information sharing analysis centers. And I 
can tell you from my private sector experience, I looked hard at the 
efficacy of that effort. 

To be candid with you, when I looked real hard at it. I saw there 
was a lot of opportunity there that we could leverage very well into 
a success story by enabling and empowering the private sector 
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through the ISACs to develop their horizontal relationships, how 
they integrate and how they collaborate information. And that was 
the road that we embarked upon to ensure that we could establish 
that. 

We have got a very good story to tell. I hope you heard that last 
week between the FS ISAC specifically. 

Mrs. Christensen. What exactly is your current relationship 
with the ISAC Council? 

Mr. Liscouski. Well, we have got an excellent relationship with 
the ISAC Council. They have stepped up to the leadership plate 
and they have provided what has been necessary and has been pre- 
viously missing with the private sector, and that is the private sec- 
tor leadership going back down into the private sector. They are ac- 
tively engaged with my office both through the Infrastructure Co- 
ordination Division, which is responsible for managing ISACs and 
funding ISACs, as well as directly through my office I actively en- 
gage with them minimally once a month on a council level and 
much more frequently on an individual level. So I think we have 
got a very robust and a very successful story to tell as it relates 
to our private sector partnership there. 

Mrs. Christensen. Thank you. I think my time is up. 

Mr. Thornberry. I thank the gentlelady. 

The gentlelady from Washington, the Vice Chair of the com- 
mittee. 

Ms. Dunn. Thank you very much, Mr. Chairman, and welcome, 
gentlemen. It is very interesting as we begin to tie some of these 
responsibilities together to get a clear view from your point of view 
on how things are working. 

Secretary Liscouski, in your written testimony and in your testi- 
mony before our panel today, you identified a couple of major steps 
in your management methodology that were interesting to me. One 
was the identification of critical infrastructure. Another was the as- 
sessment of vulnerabilities. I am especially interested in knowing 
how you work together with local government bodies and State gov- 
ernment bodies and the private sector, what kind of input they 
have into these assessments, and whether they have a direct pipe- 
line to you to know what you decided on. 

Mr. Liscouski. Yes, ma’am. Thank you, and I appreciate the 
question. 

As I pointed out, our partnership with the private, sector — and 
coming from the private sector, my bias is that we have to work 
closely with the industry to determine what they believe their pri- 
orities are, and we have to normalize those priorities with what we 
believe are our national level priorities. 

We accept ready input from both the private sector, the associa- 
tions and, importantly, the State and local and tribal governments 
to ensure that we have got their perspective on what has to be pro- 
tected and how it can best be protected. We develop common 
vulnerabilities assessments, common best practice methodologies, 
which are vetted through our State and local and tribal contacts as 
well as the private sector to ensure that we have got, in terms of 
our achieving infrastructure protection at large, consistent, effec- 
tive, sustainable, and measurable capabilities and results across all 
of our critical infrastructures. 
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Now, as a general statement, I will tell you that we are suc- 
ceeding in that very well. The methodology that we have outlined 
is that, at a national level, is scalable right down to an individual 
company level. It is the type of methodology which is being adapted 
to ensure that we help the industry at the single entity level as 
well as those that are highly interconnected to ensure that we can 
identify those vulnerabilities, the assets that need to be protected, 
the vulnerabilities, and the appropriate levels of programs. 

The reason integration is so important to us, not just within the 
Infrastructure Protection Office as it relates cyber and physical, 
but clearly as it relates to State and local involvement, is because 
these efforts cannot be done unilaterally. The private sector cannot 
afford to protect itself nor does it have the wherewithal to protect 
itself that the State and local governments do in their law enforce- 
ment and protective authorities. So all the programs that we have 
developed and designed have been in collaboration and coordina- 
tion with all those stakeholders to ensure that we have both a ra- 
tional approach and an effective approach, and one which is dy- 
namic enough to be molded against the current threat at any given 
point in time. 

As you know, it is a very dynamic threat environment, so it is 
a work in progress. Clearly, the engagement we have with the pri- 
vate sector, we are constantly being fed with new technologies and 
new ideas on how to best implement programs that can be effec- 
tive. At the end of the day, it is the private sector who is respon- 
sible for ensuring that they are doing what they need to be doing 
to protect that critical infrastructure. So we have a significant ef- 
fort there. 

Ms. Dunn. The State and local governments are satisfied with 
the relationship they have with you? 

Mr. Liscouski. At a general level, I would say they are, but as 
everything, I think there are different opinions. 

We have clearly a lot of room for improvement across the board. 
We are not satisfied with where we are today. We are in the very 
early stages of building this program. It is a long-term approach, 
but I think we are satisfied with the approach we are taking. 

Over the recent holiday threat period, we were actively engaged, 
and I am sorry to see Mr. Gibbons go because I had the oppor- 
tunity to be out with Mr. Gibbons in Las Vegas during that period 
of time in which we had very robust meetings with the private sec- 
tor, State and local governments. To be candid with you, I wasn’t 
quite sure what kind of reception we were going to get, but we 
worked through many very difficult issues and came up with some 
very successful solutions to a response of that holiday threat pe- 
riod; and I think it is representative of the types of efforts we have 
out there that do tell a good story. 

Ms. Dunn. That is good. 

I think it is very useful that both of you have been in and out 
of the private sector, so you understand the value of what they can 
contribute and the kinds of communications that they need in order 
to be part of this whole thing. I think it makes us all stronger. 

Let me ask you, Mr. Cooper, one question. The enterprise archi- 
tecture team that you have started is going to come up with a plan 
to connect networks within the Department of Homeland Security. 
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At the same time, you have new programs being started up, like 
U.S. VISIT. Do you believe that you are in contact with them to 
the extent that you know what sort of information-sharing require- 
ments they have and is it working well together? 

Mr. Cooper. Yes, ma’am. I am actually a member of the execu- 
tive advisory committee of U.S. VISIT in that specific example and 
also participate in the advisory committees of all of our major pro- 
grams. We are deliberately looking for major programs to leverage 
whatever capability is being established. For example, within U.S. 
VISIT, as we roll out new biometric capability at the borders and 
ports of entry, that requires some new underlying infrastructure. 
We are actually leveraging that new investment as part of the U.S. 
VISIT program to ensure that infrastructure enhancements that 
we are making become the foundation of the direction that our in- 
frastructure requires and — as represented in our enterprise infra- 
structure architecture. 

We are doing the same thing with Customs and Border Protec- 
tion’s ACE program. We are leveraging the legacy Immigration and 
Naturalization Service’s Atlas program for which there is appro- 
priated funding to better establish infrastructure, and we are work- 
ing to coordinate all of those investments within our enterprise ar- 
chitecture activities. 

Ms. Dunn. Are you going to be able to get the FBI and CIA to 
come together so the U.S. VISIT can use their information in a way 
that is consistent? 

Mr. Cooper. I am confident we will do that. I am afraid where 
we might have a difference of opinion is the timing that it might 
take. 

Mr. Thornberry. So the question is, are any of us going to be 
alive when it happens? 

Gentleman from North Carolina. 

Mr. Etheridge. Thank you, Mr. Chairman, and let me thank 
you gentlemen for being here this morning. 

Mr. Cooper, I know — I think a question has been asked in one 
way on the testimony previously before the Government Reform 
Committee, and let me go back to that and ask my question a little 
different way, to some extent on the same subject as it relates to 
the 18 projects. Let me talk about two of them and one very specifi- 
cally, I think, because right now, as you are trying to pull these 
together, and I guess I am very interested in particular — first, as 
you talk about the State and local industry needs survey, what do 
you hope to gain and what is its status is what I would like to 
know. 

And let me go to another one that is very specific that I know 
my office and, I assume, many offices have problems with. This is 
an ongoing problem of getting information out of the Citizens Im- 
migration Services, or CIS, because for my constituents they are 
constantly blaming the computer system. We call them, and they 
keep saying it is the computer system’s problem. Well, garbage in, 
garbage out. You know what I am talking about in computer lan- 
guage. 

And I am very interested in hearing about the feasibility study 
on integrating immigrations and Customs case management sys- 
tems. Specifically, don’t we need to fix the immigration computer 
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problems first before we integrate those with Customs? Because if 
we don’t get them fixed and integrate them, we are compounding 
the problem. I hope you will help me understand that so I can 
share that back with my staff who are quite upset about it. 

Mr. Cooper. I understand. Let me take them in reverse order of 
your question. Let me go ahead and address citizenship and immi- 
gration services. 

First, I do agree and the approach we are taking is exactly as 
you described. We have done a couple of things very actively. First 
we have — . 

Mr. Etheridge. Can you give me a time line as to when we will 
have it fixed? 

Mr. Cooper. I will give you our current working targets of tim- 
ing. The first thing that I had done is I have worked directly with 
Director Aguirre and his staff. We have named a CIO in Citizen- 
ship and Immigration Services. That individual is already on board 
and working directly with his staff and directly with the program 
folks to first, as you properly point out, to fix the problems with 
both the process as well as the underlying information technology 
that supports those processes. 

They will address, first, developing and reengineering any of the 
processes that they find to be inefficient or lend themselves to opti- 
mization. Only until that work is done will we then move forward 
to integrate with other component parts of the organization. 

So we are following your advice. We are fixing the problems first, 
streamlining process, understanding requirements, understanding 
the information necessary to support those processes; then auto- 
mating within CIS, then integrating. And there is opportunity to 
integrate in that case management arena. 

We have also ongoing an integrated consolidated case manage- 
ment effort that is at the very beginning so that the CIS folks, who 
are developing the work that I am just describing to you, are also 
part of a larger interdepartmental working group. And then, in 
turn, we also have reached out to other Federal agencies, like the 
Department of Justice or the Department of Energy, who have 
automated solutions in place to then evaluate, might there be an 
already existing solution that we could reuse that we could bring 
to bear? And the goal is to optimize, streamline and modernize, but 
don’t necessarily build all this stuff from scratch because we are 
suddenly a new department. 

Does that give some guidance. 

Mr. Etheridge. The time line? 

Mr. Cooper. Here, again, we are moving forward. The time line 
to address the backlog is 6 months, the target that Director 
Aguirre has given us to direct the backlog and a lot of the cases 
kind of pending, from roughly this time period. 

Another way of thinking about that is that our goal is to address 
this and have real solutions on the ground and to have cleared that 
backlog as fast as we can. But Director Aguirre’s direction to me 
and to my team is help us do this by the end of the fiscal year. 

Mr. Etheridge. October 1? 

Mr. Cooper. Six months, that is the target, this fiscal year. 

Very quickly, in the State and local information sharing, that 
type of thing, as part of the program that I mentioned to you that 
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Under Secretary Libutti is guiding, as part of that, I actually have 
been working along with several of our other colleagues and lead- 
ers within the Department, particularly the office of State and local 
government. 

We actually have been reaching out through the National Asso- 
ciation of State CIOs and through a number of larger city CIOs, my 
office and me personally. We have been exchanging information. 
We have been working to better understand the requirements for 
information sharing from State and local and tribal government 
and from members of the first responder community. We are doing 
that not only through my office, but when we have something like 
Project Safecom which is also reaching out on the interoperability 
issue. That is how we are gathering requirements. We are then 
taking those and applying them and sharing them within the De- 
partment and working together within the Department and State 
and local partners to put solutions on the ground. 

Mr. Etheridge. I know my time is up. Is that sharing a two-way 
sharing? 

Mr. Cooper. It is a two-way sharing. In fact, we require them 
to guide us. We can’t see the requirements from the Federal envi- 
ronment. We are dependent upon them to provide local require- 
ments. 

Mr. Etheridge. In a lot of cases, they are really our eyes and 
ears for those people who don’t have the data. 

Mr. Thornberry. I thank the gentleman for his good questions. 

The gentleman from New Jersey. 

Mr. Andrews. Thank you, Mr. Chairman. I would like to thank 
our witnesses for their testimony this morning and for their service 
to our country. I know they do it at some considerable sacrifice. 

The first thing I thought about last August when I heard about 
the blackout that was rolling across the northeast United States 
was whether it was an accident or whether it had been deliberately 
caused. 

Let’s assume — and happily all the evidence from that is that it 
was an accident. Let’s assume that, this morning, a utility company 
in Wisconsin found evidence that someone was hacking into their 
system with an apparent attempt to bring down the system and 
bring down the grid. How would you find out about that? 

Mr. Liscouski. We learned a lot from the blackout, sir, and the 
processes we established with NCSD and through IP in general, 
particularly as it relates to situational awareness during that 
blackout period served us very well. For instance — . 

Mr. Andrews. Not to interrupt, but if that happened this morn- 
ing, who would tell you? 

Mr. Liscouski. What we learned in the blackout period was the 
processes we put in place at that time were exactly the same proc- 
esses we would learn from an event similar to the hypothetical you 
just provided. We work with FERC, NERC in particular, which is 
the North American Electrical Reliability Council, which estab- 
lishes the ISAC management point for our relationships with all 
the private sectors that relate to the electric utility companies. 
They have a very robust capability and the communications across 
the grid to pick up on incidents. Most likely, that would be the first 
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indication for us reporting back from the private sector back into 
the ISAC, directly back into DHS about any activity like that. 

Mr. Andrews. Would the utility company be required to tell you 
this, or just do it as a matter of good practice? 

Mr. Liscouski. There is a requirement — and I am getting a little 
bit out of my lane here as it relates to the regulatory requirements 
set forth by both the FERC and the NERC, FERC in particular; 
but I believe that there is a requirement to report those outages, 
but I can’t specifically cite the authorization for that regulation. 

Mr. Andrews. I know this is probably an unknowable answer, 
but give me your best guess. 

How long would it take between the discovery of the intrusion by 
the utility company and report of the intrusion to responsible au- 
thorities within your division? 

Mr. Liscouski. There are a lot of dependencies on that chain — 
in the chain of that reporting. The first indication would be the 
robustness of that particular enterprise that might be under attack 
to detect an attack. In some cases, it might be a failure that might 
be the first indication of an attack. Where there is more robust ca- 
pability, they are doing network monitoring and there are stand- 
ards that have been supplied by NERC for implementation for 
cybersecurity, particularly resulting from the blackout example 
that would allow a utility company to be able to detect what is 
going on and therefore report it. 

It depends upon the magnitude of the type of attack, their capa- 
bility to detect that. 

Mr. Andrews. I think I just heard you say that your ability to 
know would be very dependent upon the robustness of the detec- 
tion system the utility company has in place. So if they had a weak 
system in terms of detection, you all might miss it all together? 

Mr. Liscouski. It really depends upon the type of attack. If it is 
a very specific attack against a specific company, a utility company 
or any other company that might be on the Internet, specifically 
targeting them, there are a couple of points we might be able to 
get information from, a, from the ISP which might be monitoring 
network activity that might see an increase of traffic to a specific 
IP address that might result in a denial of service for instance. The 
IP could report it to us, the target company could report it to us; 
it really depends upon the scenario. It is not easy to come up with 
a cut and dried answer to say, yes, it can happen, or no, it can’t 
happen. 

Mr. Andrews. Let us assume that the information was accu- 
rately reported and let us further assume that there were tools at 
your disposal that would stop the spread of the problem, that you 
could wall off other parts of networks and other parts of systems 
to protect other parts of the power grid. And let us assume that 
your best experts in your department said that is what you ought 
to do. 

Do you have the authority to tell people to do that or not? Do 
you have the authority to tell the other people in the utility system 
that they have to follow those prescriptions or not? 

Mr. Liscouski. Taking the example, in partnership with the De- 
partment of Energy with whom we have — and the FERC with 
whom we have a strong relationship in the protection of critical in- 
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frastructure, by extension, I would say we have the authority to 
initiate that activity. 

The actual execution of that authority would be with those re- 
spective regulatory agencies that have that specific legislative au- 
thority. But in terms of taking an action and prescribing a specific 
action, going back to the earlier conversation I had about the 
HSPD7, we are exactly in the middle of framing out those roles and 
responsibilities and how we would broker those relationships. 

Mr. Andrews. What I think I just heard you say was that if you 
detected the attack and if you had a clear recommendation as to 
what to do about it from your experts that you would have to have 
some cooperation from the Department of Energy to execute the so- 
lution, right? 

Mr. Liscouski. I think it is more appropriate at the FERC level. 

Mr. Andrews. You would have to have some cooperation from 
FERC and there are other regulatory bodies that might have some 
flow in this, too. The Nuclear Regulatory Commission might have 
a hand in it? 

Mr. Liscouski. They might. 

Mr. Andrews. I raise these questions not just to paint an inter- 
esting hypothetical, but I think we have a lot of technological 
issues, and we have a lot of very smart technological people to ad- 
dress them; but I think fundamentally we have a management 
problem, an analytical problem. And the analytical problem is, who 
is in charge when we have a crisis? 

I don’t pretend to have an answer, and I don’t advocate the an- 
swer that government be in charge of private enterprises in these 
circumstances. I don’t want to see that. But we need to think 
through, “we,” the committee, the administration, everyone, these 
protocols, because we don’t have a lot of time to make these deci- 
sions. And even if we have honed the technology to the point where 
we know what is going on, and we have some good ideas what to 
do about it, we have created confusion or dysfunction — you 
haven’t — as to who is in charge of what. 

Mr. Liscouski. I don’t think that is the appropriate characteriza- 
tion. I think we have good leadership. I think DHS, the brilliant 
part about the creation of this department is it does pin leadership 
responsibilities on the Secretary in working through the relation- 
ships we have with sector-specific agencies. It may not appear to 
be a direct line of authority, but there is a clear line of communica- 
tion that — we got activity going, and we have plenty of examples 
over the recent threat periods of how we have exercised that au- 
thority in cooperation. 

Mr. Andrews. Can the Secretary order utility companies to do 
what your folks would say they should do? 

Mr. Liscouski. I feel pretty confident we can exercise the nec- 
essary actions we would need to get to get the appropriate action 
at that level. We have a cyber IIMG, Interagency Incident Manage- 
ment Group, that was stood up subsequent to the live wire exercise 
that took place this past fall in which the lesson there was that we 
need a cyber response. We quickly created that capability. 

I am confident, sir, that we have the leadership that we need. 
Do we need to refine that and figure out how we do it better? Abso- 
lutely. 
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Mr. Andrews. I realize my time is up. I am not in any way im- 
pugning the leadership capabilities of people in these jobs nor am 
I doubting our competence to do them. What I am wondering about 
is because of the relative infancy of this department whether a — 
knowing bureaucratic turf battles to be what they are, if we were 
find ourselves mired in a bureaucratic turf battle at a time that we 
had to make some very quick decisions, I think it behooves us to 
answer those questions in advance so people know clear lines of au- 
thority. 

Mr. Liscouski. We are actively engaged in looking at those lines 
of communication. I would be happy to come back and talk to you 
about that. I wouldn’t want you to leave this committee room 
thinking that we haven’t thought about that or we haven’t taken 
activity on that. 

Mr. Andrews. I certainly don’t think. I think we collectively need 
to think more about it and establish clear lines of authority. 

Mr. Thornberry. Gentleman from Rhode Island. 

Mr. Langevin. Thank you, Mr. Chairman. 

And, gentlemen, thank you for being here. I would like to touch 
on a couple of areas that have already been touched on this morn- 
ing, first, dealing with JRIES and the second dealing with outreach 
to private industry. 

First of all, can you tell us about the relationship between JRIES 
and RISSNet? Those people who may not be familiar with it, that 
is the Regional Information Sharing Network used by law enforce- 
ment. It is a highly effective tool for intelligence sharing and obvi- 
ously it is a proven entity. 

It was my understanding that JRIES was supposed to partner 
with RISSNet, but evidently that has not happened. And, in fact, 
from what I understand, RISSNet has been sidelined by DHS. So 
I would like to ask why it seems that you are pushing aside a prov- 
en system for a brand new one. 

Second question for Secretary Liscouski: Last week I had a meet- 
ing with the IAIP directorate’s enterprise architect Jonathan Houk 
and a company from my district, Ibis Consulting, to discuss how 
DHS is tapping the vast amount of expertise residing in the private 
sector. And I was pleased to hear that he is trying to leverage in- 
dustry resources as much as possible in setting up IAIP’s enter- 
prise architecture, which is still obviously in the planning stages. 

But aside from Mr. Houk’s efforts, I would like to hear more on 
how effective DHS has been in forging industry partnerships. And 
I would like to hear more from you and Mr. Cooper about DHS’s 
policies and guidance concerning industry outreach, if you would 
take the RISSNet question first. 

Mr. Cooper. Let me address that for you, sir. 

You are correct in that there was a period of time where the com- 
munication between the two programs was not occurring and was 
not anywhere near as effective as I think both groups and DHS 
want it to be. Much more recently, myself included, we have gotten 
that back on track and the RISS.Net team has met with the JRIES 
team and the program director to reengage and to actively build 
upon the work that RISS.Net has already done and to rapidly map 
into our homeland security information network, which is now 
what JRIES is evolving into as far as a label. It is a broader 
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scoping. And that change in title properly reflects the broader 
scoping on behalf of DHS. So I do acknowledge that there was a 
temporary delay. We didn’t have the effective communication. We 
believe very strongly that now has been corrected and I know that 
as of last week, there had been more recent meetings between the 
RISS.Net team and the JRIES team to move this forward. 

Mr. Langevin. I am encouraged to hear that. 

Mr. Liscouski. Sir, with respect to the private sector outreach 
program, we have it in many dimensions. Let me address the cyber 
one since that is the focus of this panel or meeting this morning. 

Mr. Yannis has taken a very aggressive approach in establishing 
private sector partnerships. The first event that he participated in 
was the cyber summit back in December in which we were actually 
able to announce and get him engaged in the private sector out- 
reach program. But subsequent to that, there have been a number 
of initiatives that he is engaged in. There is a US-CERT, private 
sector partnership program. They are on daily watch calls with the 
private sector either directly with private sector entities or through 
the ISACs. The task forces that have result from the cyber summit 
are also reporting back and are actively engaged with the NCSD 
in providing information and recommendations about how they can 
influence best practices throughout the industry. 

Across infrastructure protection, we have traditionally have 
had — traditionally, in a year, if you can establish a tradition in the 
year, we have had active engagement with the NSTAC, the Na- 
tional Security Telecommunications Advisory Council, which is a 
presidential council established through the NCS; the NIAC, Na- 
tional Infrastructure Advisory Council, which was established 
through the legacy organization of the CAIO. Those are things we 
are actively engaged with. 

The Homeland Security Advisory Council, which was established 
by the Secretary, has its own subcouncil, the Private Sector Advi- 
sory Council, with whom we are actively engaged. They represent, 
really, leadership of industries at the top level, at the CEO level, 
with whom we both exchange ideas and get influence from, again, 
the ISACs themselves across all the infrastructure components. 

The private sector component is one in which I personally take 
an active leadership role, ensuring that we have got the right 
things going on there. We look for every form possible to ensure we 
get both feedback as well as getting our message out there. And 
importantly, when we get the feedback, it is, what do they believe 
they need to be doing to better protect our critical infrastructure; 
and we take that feedback into our thinking about how do we de- 
velop programs, realistic, going back to the consistent, effective, 
sustainable and measurable types of approaches we try to take. 

I could, frankly, better take the remaining time here to talk 
about the different types of relationships and I would like to ad- 
dress something specific if you have it. 

Mr. Langevin. Can you talk about your interaction with small 
business? Very often they are the innovators and entrepreneurs 
that are out there at your basic level that have a product they be- 
lieve can fill a niche. This is what happened with Ibis Consulting, 
and I put them in touch with the right people. 
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But how easy is it for small business to reach someone at DHS 
and get some type of an answer or an action? 

Mr. LISCOUSKI. There are two parts to that question. 

From a protection standpoint, we actively reach out to small 
businesses through our partnerships with our private sector out- 
reach office, Mr. A1 Martinez-Fonts, who you may know is a Spe- 
cial Assistant to the Secretary. His office is responsible for ensur- 
ing that we don’t let any business fall through the cracks if they 
are not represented by a specific infrastructure sector themselves, 
so leveraging partnerships with U.S. Chamber of Commerce, for in- 
stance, or other industry groups to reach out to those small busi- 
nesses to get the word about how to best protect themselves. 

I was a small business owner and I am a staunch believer in 
what they add to the economy. That is the growth engine for the 
economy. We are very interested in protecting them. In terms of 
outreach and ways they can actually do business with us, I will 
defer to Steve, but the reality is we have a number of mechanisms 
by which companies can reach DHS. 

Mr. Cooper. We have specific focus on small — and medium-sized 
businesses. My office works very closely with Kevin Boshears, who 
is the Director of our Office of Disadvantaged and Small Business 
Utilization; and we have actually, with his guidance, established 
some programs to flow and to make introduction connections with 
small businesses, in particular with my office. 

I have named a Special Assistant For Industry Liaison, Tom 
Bold, and Tom has developed a program that then, in addition to 
Kevin’s guidance to us, we have established a Web site that allows 
small businesses, medium-sized businesses — any business, but we 
are trying to focus on small and medium-sized businesses — to make 
their products and, services with specific areas they believe that 
they can help us address some of the business problems and chal- 
lenges that we face, known to us. 

We have — I personally, along with my team, have met with more 
than 3,000 businesses in the past year. We are trying to meet as 
many and talk with as many people as we can. We feel very, very 
strongly, and I have publicly spoken about the fact that we inside 
the Department don’t have all of the technology-enabled answers. 
We are dependent upon a very cooperative, collaborative partner- 
ship with industry, particularly small — and medium-sized busi- 
nesses where a lot of the innovation does occur. 

Mr. Langevin. I am encouraged by your answer. 

Mr. Thornberry. I thank the gentleman. 

Mr. Liscouski, let me try to see if I can ask a series of questions 
related to the national strategy to secure cyberspace, which the ad- 
ministration issued just before the Department really was up and 
running. But it still seems to me that to offer a good blueprint on 
the issues we need to be concerned about with regard to 
cybersecurity; and what I would like to do is go through some of 
the things they said we need to work on and have you just at least 
give us the name of a program or an effort. We can’t get into the 
details of this stuff, or we will never get anywhere, but I am trying 
to get a feel, over the last year, how much progress have we made. 

The first priority, as you know, is the National Cyberspace Secu- 
rity Response System. That is the first priority in the national 
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strategy. And then they talk about public-private architecture for 
responding to national level cyber incidents. The first specific 
under that is analysis, tactical, strategic, and vulnerabilities. 

Are we doing those things? Are we analyzing those cyber at- 
tacks? 

Mr. Liscouski. We are, sir. 

Mr. Thornberry. Do you do that or does IA do that; or does the 
Cyber Division, which is under you, do that? It says “analysis,” so 
how does that work? 

Mr. Liscouski. Let me take the first part of what we are doing, 
and I will tell you how we are doing it. There are a number of ef- 
forts that we have got under the priority one; the first — and no 
order of ranking here, just to give you the amalgamation. 

There is the critical infrastructure — I am sorry, Computer Inci- 
dent Interagency Management Group that I referred to earlier, 
first part of our response system. There are the alerts that we put 
out through the cyber alert system, as well as the efforts we are 
taking to build our national watch capability. We have got a — one 
effort dedicated to network flow analysis and situational aware- 
ness, and we have got our Cl project, which is our secure and sur- 
vivable communications. 

But who does the analysis that is aggregated among these types 
of efforts is a combination of — we work closely with our information 
analysis colleagues. The unique thing is, you know, about IAIP as 
we are joined at the hip. We both are resources for each other. In 
the context of threats, IA has the responsibility of providing us 
with threat information and that can then be mapped over to 
vulnerabilities. The technical expertise to understand how those 
threats can manifest themselves and those vulnerabilities, particu- 
larly in the cyber world, is found in the NCSD. 

So analysis occurs across the soft center of IAIP if we look at 
where really the heart of what the IAIP organization is providing 
in terms of value to DHS. 

I don’t mean to be overly complicated about this, but there is 
analysis on both sides of that equation. So as it relates to priority 
1, we have a very distinct role from the NCSD’s perspective pro- 
viding that response capability as well as an analytic capability. 

Mr. Thornberry. Number two under that same priority is warn- 
ing, and you just referred to some organization, but that is kind of 
an operational role; it seems to me that is a little different from 
infrastructure protection. I presume that is the same thing. Cyber 
Division is doing all of that analysis and the operational things and 
yet they are under infrastructure protection. I think that is kind 
of a unique situation for cyber, but also raises some questions. 

Mr. Liscouski. It is not unique for cyber. We are doing a similar 
way for telecommunications under the NCS. Similarly, within our 
protective security division, we are doing an analysis on threat in- 
formation as it relates to mapping that threat information into 
vulnerabilities. As I point out, this is a very — you can’t cut that 
Gordian knot. It is robustness of analysis going on both sides of the 
equation. 

The one way that he might look at it is, threat information is 
sort of incident specific. Vulnerability analysis in terms of how 
vulnerabilities may be exploited might be end results specific. For 
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instance, oftentimes we look at if we want to create — if a terrorist 
group is interested in creating a mass casualty type of event, they 
have a number of different ways they can use that: biological event, 
chemical event, bombing, using aircraft as missiles. We all know 
the results and we look at different ways we can affect that type 
of outcome. 

The analysis that has to go on to exploit vulnerabilities in those 
particular modalities of attack are things that our organization is 
responsible for doing. The intent and who has got the capability of 
doing those things clearly resides on the side of the information 
and analysis. 

Mr. Thornberry. Under, still, priority one, one of the things we 
need, the strategy says, is recovery mechanisms and continuity 
plans in Federal cyber systems. Are those under way? 

Mr. Liscouski. Yes, sir, they are. The partnerships we have in 
cross-infrastructure components, but cyber in particular, is in- 
tended to be able to recover from an attack as quickly as we pos- 
sibly can, reconstitute ourselves. That is an integral part of our 
protection program. 

One of the things a good recovery capability does is it devalues 
the target. One of the protection priorities we have is not just hard- 
ened targets, but to quickly recover from an attack should an at- 
tack occur. That effectively devalues the target if we can recover 
quickly. 

Mr. Thornberry. I am not going to go through all of these items. 
I will skip ahead for a second to priority two, which is threat and 
vulnerability reduction. 

Among some of the specific items listed there are securing the 
mechanisms of the Internet including key Internet protocols, Inter- 
net routing, and management of the Internet. How are we working 
with the private sector to do those things that were specifically set 
out in the strategy? 

Mr. Liscouski. We have a number of initiatives currently under 
way in which we are looking at both the vulnerability of the Inter- 
net as well as ways that we need to enhance the security of the 
Internet. One of those efforts, the GEWIS program, which was the 
Global Early Warning Information System, started out as an effort 
that the NCSD has enhanced significantly and gained ownership 
of, is looking broadly across the Internet at the network analysis 
activity that needs to be examined to ensure that we can see at- 
tacks coming over the horizon and take protective actions as nec- 
essary. 

Mr. Thornberry. I think what we might like to do is submit 
some of these other types of questions for the record, going through 
the various elements of the strategy, again not looking for detail, 
because that is way too much, but I do think it is important for 
us and for all of those interested in this topic to have some idea 
that at least there are initiatives under way for the various areas, 
and some of them are not even in your bailiwick. But the initia- 
tives that are under way, we need to know that they are under 
way. 

I yield to the gentlelady. 
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Ms. Lofgren. I realize we are out of time and we have a series 
of votes. I have a lot of questions which I will submit and look for- 
ward to the written response. 

But I did want to make sure that I understood Mr. Cooper’s an- 
swer to Mr. Etheridge, because I wrote it down and want to make 
sure I was not mistaken. 

Did you say that by the end of this fiscal year we will meet the 
President’s 6-month goal on processing immigration? 

Mr. Cooper. I am indeed saying that we are going to do every- 
thing that we possibly can to meet that goal. That is our direction, 
that is where I am placing additional information technology re- 
sources to help do that. 

Ms. Lofgren. Thank you very much. 

Mr. Thornberry. The chairman may have additional questions, 
particularly for Mr. Liscouski, who has another hearing. Maybe Mr. 
Cooper might be more flexible if we need to come back. 

Mr. Cox. We don’t need to come back. I intend to go to the floor 
for the vote, but I would take a few minutes before we leave. 

Mr. Thornberry. We have the gentleman from Florida here. 

Mr. Meek. I will yield to the chairman and I will submit my 
questions for the record. 

Mr. Cox. I appreciate your courtesy. 

On the subject of our overall strategic objectives, I am impressed 
and pleased that the number one strategic objective is preventing 
cyber attacks against America’s critical infrastructures. When I 
look at the priorities as they are laid out, I find that the first pri- 
ority is the response system. The second priority is threat and vul- 
nerability reduction, which has as its analog the second of the two, 
the second of the three overall objectives for DHS itself. 

Likewise, priority 3 is awareness and training. That gets to pro- 
tection. Priority 4 is securing government cyberspace. That, of 
course, is defensive. And within priority 5, as it is outlined, even 
though it is described as international cooperation, there is a bit 
about intelligence sharing and so on. 

But, you know, the main purpose of the Department of Home- 
land Security is to deal with the problem of T and T, terrorists and 
technology, the weapons of mass destruction plus terrorists, the 
possibility that mayone day be upon us. That is the worst thing 
that could happen to the country and, therefore, the first thing that 
the Department of Homeland Security needs to concern itself with. 

Such things as pulse weapons directed at our country, therefore, 
mark what ought to be the top priority in prevention there is clear- 
ly superior to dealing with it after it happens, just as with any 
other weapon of mass destruction. So I wonder if I could inquire 
first whether you have it in mind to place increasing emphasis on 
the prevention piece, because while it is occasionally mentioned, I 
see that we are focused, for understandable reasons, elsewhere be- 
cause it is more tractable; and specifically whether it is possible to 
initiate more meaningful collaboration between the National Cyber 
Division and the Department of Defense. 

Mr. Liscouski. Yes, sir. From our perspective, these programs all 
roll up into a good preventive and protection approach. You can 
take apart elements and see that they contribute to protection. But 
every single one of these, from a response and recovery capability 
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awareness, threat and vulnerability reduction, all really do con- 
stitute good protection programs. So I would, if I understand your 
question correctly, validate this approach in terms of what it accu- 
mulates — . 

Mr. Cox. What I am trying to do is distinguish protection from 
prevention. We have prevention, protection response. I see a lot of 
protection, a lot of response, and I need to understand more about 
what we are thinking about doing in the prevention area. 

Mr. Liscouski. In the context of prevention and again, I don’t 
want to be definitionally based here, but as it relates prevention, 
typically the law enforcement component of interdicting, detecting 
and interdicting what is going on. Detection as it relates to preven- 
tion is clearly within the domain of what we do. The actual activity 
related to interdicting or reducing an adversary’s ability to attack 
us is not something that my organization is charged with. 

Mr. Cox. On the other side of IAIP, in the other half of Frank 
Libutti’s brain, we have the essence of the prevention piece of DHS, 
and it would seem to me that that would apply just as thoroughly 
to cyberspace as anything else. 

Mr. Liscouski. The full circle here — and again, this is trying to 
cut the Gordian knot, but we look at prevention in the context that 
you just provided it to occur at the target level. And the things that 
we can control in the world, that we do to protect — if I could take 
some time here for a moment — there are protective activities we 
engage in which increase awareness of group capabilities and tac- 
tics that could be affected against a specific target. 

We go out and train the private sector on what to look for, the 
observables of preincident indication of activity of a terrorist at- 
tack. Those observables, while they may be disparate pieces of in- 
formation not directly related to an imminent attack, but poten- 
tially future planning of an attack, are things we can pipe back 
into our IA folks to assist in the prevention role. 

That is the value add that we have in the ability of providing in- 
formation from the private sector that we directly gain on 
preincident information that we collect, that we share with our in- 
formation analysis component that gets put back into the intel- 
ligence community to affect good prevention methodologies and 
good prevention activities. It is finding out — and the unique thing 
about this and the unique thing about what DHS does, particularly 
as it relates to IP, is that we deal in the target community; and 
as a result and as opposed to looking at just the criminal activity 
or the terrorist activity that goes into targeting the private sector, 
we are dealing with the targets that are the focus of those terrorist 
groups. 

So if we know what to look for and we can train people in what 
the observables are, that observable information can significantly 
enhance prevention activities as it relates to law enforcement and 
the intelligence function. 

As I pointed out earlier, it is a pretty complex process, but I 
think it is an extremely articulable one as it relates to what our 
role is and how we play together in this space. It happens in the 
cyber world routinely; as we found out, probing or potential exploit 
probes, things that can be detected in the cyber world contribute 
to that sort of knowledge as well. Terrorist groups, we know, use 
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cyber activity to probe physical targets to see what the penetration 
capabilities are. That information gets collected similarly as observ- 
able — physical things that are observable get reported back to us. 

I don’t know if that responds to your question or not. 

Mr. Cox. It amply responds given the time that we have. I appre- 
ciate very much your willingness to speak to the point. 

I thank the chairman. Please keep in mind my suggestion about 
deeper cooperation with DOD. I think that that could be helpful. 

Mr. Liscouski. I could respond to that, too. 

We actively engage with DOD and we are looking at all levels 
between NORTHCOM as well as the Assistant Secretary of De- 
fense Paul McHale. We have a good partnership there. 

Mr. Thornberry. I thank the chairman. 

I would like to ask both witnesses if we can have an agreement 
that because our time has been cut short, that you all will make 
an effort to respond to our written questions, try to within 2 weeks 
and less than 30 days, and I will commit to you to make sure that 
the questions are reasonable in length and scope. If we could have 
that agreement with both of you, I would appreciate it. 

I am going to ask one other question at the risk of missing this 
first vote. You are free to go Mr. Liscouski, but I don’t know if any- 
body is going to be over there anyway because we are all voting. 

But, Mr. Cooper, I want to direct this to you because one of the 
primary reasons that the Department of Homeland Security was 
created was to integrate 22 different agencies into one seamless 
unit. Now, the total measurement of seamlessness is not having 
one IT architecture and system with which the Department can op- 
erate, but it is a pretty good one. And yet, when I look at some of 
the specifics that you have provided on the progress you have 
made, you have still got ten different financial management sys- 
tems, you have still got eight different contracting offices, seven 
different human resources. 

I guess it is an area where I am frustrated, frankly, and I want 
to ask, is the primary difficulty you face figuring out what you 
want to do? Is it resolving the technical difficulties of merging 
these 22 different agencies? Or is it something else? Is it money? 
Is it getting the decisions made to force people to go use somebody 
else’s computer system even though that is not what they have 
been using? 

If you had to summarize the difficulty you face in making this 
one seamless IT department, what is it? 

Mr. Cooper. I would summarize it in this way: It is a combina- 
tion of people, process and technology. The technology is in fact, 
honestly, from my professional and kind of sitting in the role that 
I currently sit in, is the least controversial and the easiest to effect. 

However, having said that, it is — in and of itself, the technology 
challenges are complex. We know how to do them, so that is the 
easiest. 

The second is process. What we don’t want to do, if you pardon 
the expression, is pave the cowpath. We want to reengineer some 
of the processes that we now use or will use to effect threat identi- 
fication and management or some of the cybersecurity activity that 
Bob has talked about or some of the back office processes that I 
spoke to briefly. That is hard work. 
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We do have — we are making progress. I mentioned the five busi- 
ness area focus groups. This is under way. We were a little bit slow 
to get going because we had to do some education. We had to help 
people understand why this is an important and valuable exercise. 

We have had the support of the Secretary. We have had the sup- 
port of the Deputy Secretary and now we are engaging. All areas 
of the Department are engaging. So that, I feel comfortable that we 
are under way. 

Again, we will move as fast as we can move with quality and 
with speed. It may take us longer than all of us would hope that 
we could complete. 

The last and the toughest is people. This is about change. And 
that means that in some cases, the right decision or what might 
come out of these business area focus groups might be suggestions 
or reengineering that says a process used to be done in many orga- 
nizational elements and now it might be more appropriate to place 
it in one organizational element, name that organizational element, 
the managing partner or the business process owner to have reach 
and span of control across that process across the entire Depart- 
ment. That is change, it is difficult, and it is about thinking dif- 
ferently and about doing work differently. 

I don’t have exact answers. It is not quite a science yet. There 
is a little bit of art involved. 

Mr. Thornberry. I appreciate your analogy of changing the tires 
as the car is moving, because while you are doing this stuff, you 
still have got to guard the borders and still have to process the peo- 
ple coming in. And I don’t want to minimize that effort. 

I will say this. I think a number of us will be looking for ways 
to help you, maybe even push you a little bit to make sure that this 
does move as fast as possible. And understanding culture and peo- 
ple and reluctance to change, we cannot let that obstruct the abil- 
ity to have a department that is functioning as well as it possibly 
can, because so much is riding on the success of this department. 

So I don’t want to make your job more difficult, but on the other 
hand, separation of powers is here for a reason and maybe we can 
help give you some extra incentive or whatever to get the job done. 

But I appreciate it. I appreciate both of you being here and your 
answers today, and I appreciate your willingness to answer our 
written questions promptly. And, with that, the hearing is ad- 
journed. 

[Whereupon, at 11:50 a.m., the subcommittee was adjourned.] 
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Questions Submitted for the Record 

Questions for Assistant Secretary Robert Liscouski, From Congressman 

Dave Camp 

1. Your office has the responsibility to communicate cyber threat infor- 
mation to the private sector. I am interested in understanding the different 
means you use to accomplish this task. What challenges do you face in com- 
municating with large companies (the Financial Services Sector, for exam- 
ple) versus small business owners and private users? What are the different 
means you utilize to reach these different groups, especially given their 
varying levels of understanding of cyber threats? 

The primary ways that DHS communicates cyber threat information to the pri- 
vate sector are: (1) through the U.S. Computer Emergency Readiness Team (tJS — 
CERT) public website at www.us-cert.gov, (2) through the US-CERT’s National 
Cyber Alert System (NCAS), (3) through the US-CERT Portal, and (4) through the 
Information Sharing and Analysis Centers (ISACs) in each of the critical infrastruc- 
ture sectors. 

The US-CERT public website is our primary means to provide information to the 
public at large. It includes relevant and current information on cyber security 
issues, current cyber activity, and vulnerability resources. To date, the website has 
received over 3.8 million hits at an average of 128,000 per day. It also provides a 
link to the National Cyber Alert System (NCAS). 

NCAS is an operational system developed to deliver targeted, timely, and action- 
able information to Americans to allow them to secure their computer systems. In- 
formation provided by the NCAS is designed to be understandable to all computer 
users, technical and non-technical, and reflects the broad usage of the Internet in 
today’s society. The NCAS provides a communication mechanism through website 
access and e-mail alerts for providing general guidance for users and the ability to 
reach millions of Americans at once with a variety of cyber security information ma- 
terials on both a technical and non-technical level. There are currently over 270,000 
unique subscribers to the various alerts provided by the NCAS, and our challenge 
is to increase its outreach to as many Americans as possible. We are working closely 
with the National Cyber Security Alliance on expanding the Stay Safe Online cam- 
paign, coordinating closely with the Federal Trade Commission on their information 
security campaign, and working with other trade groups and industry associations 
with key cyber security awareness and outreach programs. 

In addition to the public website, US-CERT maintains an active secure online 
portal that enables the cyber security stakeholder communities including govern- 
ment and the private sector to communicate and collaborate on cyber security ef- 
forts. Groups that utilize the US-CERT portal include the Chief Information Secu- 
rity Forum (CISO Forum), the National Cyber Response Coordination Group 
(NCRCG), DHS’s Office of Infrastructure Protection, the Government Forum for In- 
cident Response Security Teams (GFIRST), the Multi-State Information Sharing 
and Analysis Center (MS-ISAC), and the US-CERT staff. One challenge to reaching 
the private sector communities has been creating a trusted protocol for sharing in- 
formation. That challenge is being addressed in through the NCSDAJS-CERT Out- 
reach and Awareness efforts. 

In the case of vendor-specific vulnerability or threat information, we communicate 
directly with appropriate and expert representatives in the individual company 
when that is possible. The recent Cisco vulnerability is a key example of how we 
communicated — and collaborated — with the private sector on a very specific vulner- 
ability. The ability to communicate with specific companies in such cases is crucial. 
The appropriate contacts are being developed through the NCSD/US-CERT Out- 
reach efforts and through participants in the US-CERT Portal. Outreach targets in- 
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elude the spectrum of the critical infrastructure sectors (through the ISACs, indus- 
try associations, etc.), software developers and researchers, academia, government, 
the information technology (IT) vendor and operator community, and others. DHS 
works with various vendors to understand, assess, and inventory vulnerabilities so 
that when threat information is transmitted, it includes specific instructions on how 
to mitigate or eliminate the vulnerability, and what resources exist to obtain help. 

The ISACs were established as a primary mechanism for two way information 
sharing with the critical infrastructure sectors. Many critical infrastructure sectors 
have developed procedures to widely disseminate their alerts, warnings and 
advisories, to both large and small companies, throughout their sector. These sectors 
involve trade associations, representing smaller companies, who receive information 
from the ISAC and who then re-transmit that information to their members. 

2. How do you utilize Information Sharing and Analysis Centers (ISACs) 
to share and receive threat information? How do you recommend strength- 
ening or improving the relationship between ISACs and DHS for this pur- 
pose? 

DHS/IAIP’s Infrastructure Coordination Division within the Office of Infrastruc- 
ture Protection maintains an on-going relationship with the ISACs and is the focal 
point for all ISAC relationships for critical infrastructure issues. Threat information 
gained from the Intelligence Community through DHS’s Office of Information Anal- 
ysis alerts, warnings, and advisories applicable to the critical infrastructures and 
key resource industries are delivered directly to them through standard agreed upon 
procedures. DHS/IAIP also provides to them regularly scheduled daily situational 
briefings, and periodic classified briefings as needed as well as special briefings 
when there is a major change in the threat level. IAIP also meets periodically with 
the ISAC Council a cross-sector body representing a large number of the ISACs, to 
improve information sharing practices and strategies. Such meetings help to sustain 
the relationship with the ISACs by proactively identifying gaps that need to be mu- 
tually addressed. 

DHS is constantly strengthening its relationship with the ISACs. One of its most 
critical programs is the implementation of a National Infrastructure Coordination 
Center (NICC) to serve as an operational nexus for all of the ISACs. The NICC al- 
lows representatives from the ISACs, industry groups, and key companies within 
each sector to share and receive situational awareness information. These sector ex- 
perts work both within their areas of expertise and across sectors to maintain con- 
stant situational awareness of the status of the critical infrastructure. The NICC 
provides a centralized mechanism for sharing information with the ISACs and the 
private sector in response to an event or crisis. The ISACs will also be expanded 
to ensure that one exists for each critical infrastructure sector and key segments 
within each sector. DHS continues to work with industry to evaluate ways to reach 
the full breadth of each critical infrastructure sector, either through improvements 
in the ISAC mechanism or additionally through sector coordinating groups. 

In addition to these regular, ongoing efforts, the Homeland Security Information 
Network, once functional, will facilitate real-time communication between DHS and 
the private sector through the ISACs or other sector groups as they form. DHS is 
also working with the ISACs on a number of exercises, on a national, regional, and 
sector basis that will help determine where communication and collaboration im- 
provements can be made. 

Questions From Congressman Sherwood Boehlert 

1. Mr. Liscouski, in a September 2003 letter to Governor George Pataki, 
you requested New York’s initiative and leadership in the Multi-State In- 
formation Sharing and Analysis Center (MS-ISAC) and promised that DHS 
would assume a more ’formal’ role in the MS-ISAC, once established. New 
York State and Mr. William Pelgrin, Director of Cyber Security and Critical 
Infrastructure Coordination for the state, have been proactive and effec- 
tive in coordinating and leading the Multi-State Information Sharing and 
Analysis Center. Mr. Pelgrin’s efforts have resulted in the MS-ISAC involv- 
ing 49 states and the District of Columbia and a business plan, submitted 
to DHS, which highlights roles, responsibilities, budgets, and additional 
steps needed for the MS-ISAC. Now that it has been established, what fund- 
ing and support do you plan to provide the MS-ISAC as you work to for- 
malize the relationship between DHS and this critical initiative that you 
requested? 

DHS recognizes and appreciates Mr. Pelgrin’s efforts to develop and expand the 
Multi-State ISAC. As part of this effort, we had requested that he engage other like 
entities within the states, which had information sharing initiatives on-going, such 
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as NASCIO, and integrate their efforts. That work is in progress. We are currently 
reviewing Mr. Pelgrin’s business plan that was developed prior to the implementa- 
tion of new capabilities within DHS, such as the National Cyber Security Division, 
the US-CERT, and the announcement of the Homeland Security Information Net- 
work (HSIN) by Secretary Ridge in March 2004. All of these new capabilities are 
intended to assist and enhance the core capabilities of the ISACs and bring them 
up to a common level of effectiveness. The Multi-State ISAC will receive the benefits 
of all these new capabilities including the ability to share information and collabo- 
rate on cyber security issues on a 24x7 basis and to further integrate information 
sharing within and across State and local governments through the HSIN/US- 
CERT portal. 

The Multi-State ISAC and Will Pelgrin have been extremely supportive of the 
US-CERT and our initiatives to increase national cyber security situational aware- 
ness. The NCSD has participated on a number of Multi-State ISAC monthly con- 
ference calls throughout 2004 and plans to continue to support the mission of the 
Multi-State ISAC to provide valuable cyber security vulnerability and incident infor- 
mation to the State level. Moving forward, NCSD plans to work along with the 
Multi-State ISAC to mutually improve cyber security on both the state and federal 
level. As such, DHS has entered into a contract with the MS-ISAC to provide 
$400,000 in FY04 funds, which the MS-ISAC is currently using for various outreach 
efforts such as conference, the webcast series, and other activities. DHS is exploring 
an increase in the funding for the MS-ISAC in FY05. 

From Congressman Mac Thornberry and Congresswoman Zoe Lofgren 

1. Coordination for Threat Assessments 

a. How is the National Cyber Security Division (NCSD) working with 
the Information Analysis Directorate (IA), which has responsibility for 
information analysis of the threat? 

The Office of Information Analysis (IA) is DHS’ portal to the Intelligence Commu- 
nity and is responsible within DHS for all aspects of the intelligence cycle for 
cybersecurity, such as issuing additional collection or analysis requirements to the 
rest of the Intelligence Community. NCSD works with IA on the substance of the 
collection and analysis requirements. 

Operationally, the NCSD works with IA through daily threat assessment meet- 
ings and on an as-needed basis in the case of a specific threat. One example of this 
coordination was the participation of NCSD in partnership with IA to develop the 
National Intelligence Estimate (NIE) “Cyber Threat Against the Information Infra- 
structure.” This classified document is an update of the 2000 NIE of the same title. 
In addition to the regular meetings NCSD participates in daily conference calls with 
the National Security Agency/NSIRC, the Central Intelligence Agency, and the De- 
partment of Defense’s Joint Task Force Global Network Operations (JTF-GNO) to 
discuss classified cyber activity of note. 

b. How does the NCSD interact with the Terrorism Threat Integration 
Center (TTIC) for classified assessments? How are these assessments 
used and what NCSD products have resulted from TTIC derived infor- 
mation? 

NCSD interacts with the Terrorism Threat Integration Center (TTIC) indirectly 
through the DHS Homeland Security Operations Center (HSOC). NCSD shares the 
staffing of a 24x7 Infrastructure Protection desk at the HSOC that has direct reach 
back to the US-CERT, and the HSOC and TTIC work closely together on informa- 
tion for both physical and cyber threats. Additionally, NCSD interaction with the 
TTIC is accomplished through DHS/IA, law enforcement and intelligence community 
detailees on staff in IAIP and is developing a comprehensive threat, risk, attribution 
assessment, and response capability. 

With regard to classified assessments, NCSD participated in National Intelligence 
Estimate’s cyber threat assessment in conjunction with IA and other members of the 
law enforcement community. 

To date there are no specific NCSD products that have been produced from TTIC- 
derived information. 

c. Who within DHS has the authority and mission to correlate cyber 
threat and vulnerability for an overall assessment? When, how, and 
with whom will this information be shared? 

As a focal point for cyber security issues related to reducing the vulnerability of 
critical infrastructure or key resources in order to deter, mitigate, or neutralize ter- 
rorist attacks, DHS’ National Cyber Security Division (NCSD) has the authority and 
mission to correlate cyber threat and vulnerability information. The NCSD performs 
this correlation within the Division in a collaborative effort between the US-CERT 
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Operations branch and the Law Enforcement/Intel branch as the lead entities but 
also in collaboration with other Divisions in the Office of Infrastructure Protection. 
In addition, as part of the National Infrastructure Protection Plan (NIPP), NCSD 
is responsible for: (1) conducting risk assessments and determining the necessary 
protective measures for the information technology industry, and (2) providing guid- 
ance to the sector specific agencies with responsibility for other critical infrastruc- 
ture sectors on how to incorporate cyber-related vulnerabilities into their vulner- 
ability assessments. 

NCSD regularly shares information with key stakeholders within DHS, including 
the Homeland Security Operations Center (HSOC) through existing daily conference 
calls or targeted communications, IAIP, and other components as appropriate as 
well as with interagency partners through the NCRCG, GFIRST, and the Chief In- 
formation Security Officer (CISO) Forum. As information is cleared through classi- 
fication procedures, NCSD also shares information with the private sector through 
appropriate channels, including the ISACs, the HSIN/US-CERT Portal , and the 
US-CERT NCAS. The public at large can also access information provided through 
the NCAS as well as the US-CERT public website. In the event that a cyber threat 
rises to the level of national security, the public will be informed through the Home- 
land Security Advisory System (HSAS). 

2. Coordination for Cyber Advisories and Warnings 

a. What organization within DHS is responsible for managing and 
issuing cyber advisories and warnings? 

Through its mission to serve as a national focal point for cyber security issues and 
to implement the National Strategy to Secure Cyberspace, NCSD is responsible for 
managing and issuing cyber advisories and warnings. Those advisories and warn- 
ings are issued to the public and our partners through the NCAS and to specific 
entities on an as-needed basis in the case of a targeted vulnerability or threat. Infor- 
mation that is less sensitive and for wider distribution is disseminated through the 
US-CERT public website and the US-CERT secure online portal, as appropriate. 

b. How will DHS integrate cyber advisories and warnings into the exist- 
ing Homeland Security Advisory System (HSAS), given that cyber has 
a unique audience, particularly when those people who must respond 
to an attack are not the traditional First Responders used for physical 
national disasters? 

NCSD provides information for use in the HSAS to be activated as appropriate. 
However, the nature of cyber attacks is that there are varying degrees of cyber ac- 
tivity at any given time that warrant advisory to the cyberspace stakeholder com- 
munity that does not meet the criteria for raising the national alert status through 
the HSAS. Therefore, US-CERT utilizes the NCAS to notify the entire national, and 
international stakeholder community about activities that may warrant specific pro- 
tective measures but that do not rise to the national security level of the HSAS. 
US-CERT is reaching out to key partners for incident response at various levels of 
sensitivity or urgency through the NCAS, the US-CERT secure online portal, the 
NCRCG, and the US-CERT public website to communicate with cyber “first re- 
sponders” and other stakeholders. 

In the event of a cyber incident of national significance (or an incident with both 
physical and cyber implications), the NCSD/US-CERT and/or NCRCG will provide 
analysis and recommendations to the IIMG or to the Secretary to help inform a de- 
cision about whether to raise the national alert level, 

c. How is the cyber threat and warning mission being integrated into 
the Homeland Security Operations Center (HSOC)? 

US-CERT communicates regularly with the HSOC on cyber security issues, in- 
cluding participation in daily conference calls and regular e-mail and other cor- 
respondence. In addition, the NCSD shares the staffing of a 24x7 Infrastructure 
Protection desk at the HSOC that has direct reach back to the US-CERT for coordi- 
nated action as appropriate. 

d. How will DHS work with other countries when responding to a cyber 
attack, given that most attacks have effects on information systems 
around the world? 

Cyberspace transcends traditional borders and we recognize our international out- 
reach is crucial to protecting ourselves. As such, DHS is active in a number of multi- 
lateral and bilateral activities addressing cyber security issues such as early warn- 
ing, response, and information sharing. NCSD and US-CERT are reaching out to 
other countries to form strategic partnerships that we will be able to leverage in 
the case of a cyber attack. US-CERT is a member of the Forum for Incident Re- 
sponse Security Teams (FIRST), an international coalition of government, commer- 
cial, and academic organizations that aims to foster cooperation and coordination in 
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incident prevention, prompt rapid reaction to incidents, and promote information 
sharing among members and the community at large. FIRST is one way that US- 
CERT works with computer security incident response teams (CSIRTs) in other 
countries when needed to share information, best practices, and experiences. US- 
CERT also communicates and collaborates with other CSIRTs directly. 

For example, NCSD and US-CERT participate in the cyber security efforts of the 
Asia Pacific Economic Cooperation (APEC), the Organization for American States 
(OAS), and the Organization for Economic Cooperation and Development (OECD). 
Their respective programs seek to raise awareness about cyber security, provide 
technical assistance and capacity building for emergency response teams, help de- 
velop trusted relationships between response teams, and to build a global “culture 
of security.” 

On an operational basis, the NCSD and US-CERT are developing closer ties with 
the so-called “Five-Eyes” countries (United States, United Kingdom, Canada, Aus- 
tralia, and New Zealand), as well as other countries with key operational capability 
and interest through information sharing and cooperative mechanisms. The objec- 
tive is to forge trusted relationships with our counterpart organizations abroad and 
develop the basis for a coordinated response in a cyber incident or attack. We seek 
and have created opportunities to build those relationships in a number of inter- 
national forums and activities. The most recent example was the multilateral con- 
ference on cyber security that DHS/NCSD co-hosted with the German Ministry of 
the Interior in Berlin in October 2004. Government policy makers, managers of 
CSIRTs with national responsibility, and law enforcement representatives from fif- 
teen countries in Europe, Asia Pacific, and the Americas participated in the con- 
ference. The conference focused on developing a framework for cyber information 
sharing and incident response, and included a tabletop exercise to examine inter- 
national communication and collaboration channels as well as interactive sessions 
on international information sharing and incident response. The participants agreed 
to an initial framework for cyber information sharing and incident response by iden- 
tifying points of contact cyber information sharing actions in the short term and, 
and are forming a cooperative mechanism to build a more mature framework in the 
longer term. 

3. Framework 

a. Is DHS developing a cybersecurity framework for public and private 
use and what is the status? 

The cyber security framework for the nation is the National Strategy to Secure 
Cyberspace issued by President Bush in February 2003. The Strategy put forth a 
framework of five priorities for all stakeholders in protecting our nation’s informa- 
tion infrastructure and provided a roadmap for both the private and public sectors 
to undertake toward a more secure cyberspace. DHS is well on our way to imple- 
menting the Strategy with our counterpart agencies throughout the government and 
are actively partnering with the private sector to work collaboratively and create a 
set of public milestones to measure progress. We have consolidated and are 
leveraging existing programs and have identified new ones toward meeting the man- 
date of the Strategy. 

b. What elements are being included in this framework? At a minimum, 
please include an update for benchmarks, standards, best practices, 
common criteria and other elements as appropriate. 

The elements of the framework are set out in the Strategy’s five priorities: 

Priority I: A National Cyberspace Security Response System 

Priority II: A National Cyberspace Security Threat and Vulnerability Reduction 

Program 

Priority III: A National Cyberspace Security Awareness and Training Program 
Priority IV: Securing Government’s Cyberspace 

Priority V:National Security and International Cyberspace Security Cooperation 

Key elements of our program to meet the mandate of the Strategy are as follow: 
US-CERT — established a 24x7 cyber watch and warning operation with a se- 
cure online portal for collaboration, information dissemination, and information 
exchange; 

US-CERT Outreach — establishing regular communication and collaboration 
mechanisms such as US-CERT Portal, US-CERT public website, NCAS and 
other activities to reach critical infrastructure sectors, software developers, aca- 
demia, government entities, and other stakeholders. 

Strategic Initiatives — identification of cyber security programs for the long 
term, including software assurance, research and development, exercises, train- 
ing, and education. 
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Law Enforcement and Intelligence Coordination — NCSD works with key parties 
in the law enforcement and intelligence communities to leverage information 
and coordinate response to cyber security threats and events. 

NCSD has identified a set of goals, corresponding objectives, and programs and 
initiatives to further these goals that map to the five priorities of the National 
Strategy. NCSD is working to develop a set of specific milestones to measure 
progress toward the goals articulated in the following strategic framework: 


PRIORITY 

NCSD GOALS 

I. National Cyberspace 

Security Response System 

#1 Prevent, predict, detect, and respond to 
cyber incidents, and reconstitute rapidly 
after cyber incidents 

II. National Cyberspace Threat 
and Vulnerability 

Reduction Program 

#2 Work with public and private sectors to 
reduce vulnerabilities and minimize the 
severity of cyber attacks 
#4 Coordinate with the Intelligence and 
law enforcement communities to identify 
and reduce threats to Cyberspace 

III. National Cyberspace 
Security Awareness and 
Training Program 

#3 Educate and encourage Americans to 
secure their cyberspace thought a Na- 
tional awareness and training campaign 

TV. Securing Governments’ 
Cyberspace 

#1 Prevent, predict, detect, and respond to 
cyber incidents, and reconstitute rapidly 
after cyber incidents 

#2 Work with public and private sectors to 
reduce vulnerabilities and minimize the 
severity of cyber attacks 

V. International Cyberspace 
Security Cooperation 

#1 Prevent, predict, detect, and respond to 
cyber incidents, and reconstitute rapidly 
after cyber incidents 

Common to All Priorities 

#5 Build an effective organization 


NCSD has various opportunities and obligations to report to Congress on its pro- 
grams and activities and will continue to do so as requested and on a timely basis. 

c. How will progress and compliance with voluntary standards and the 
framework be measured and certified, particularly in the private sec- 
tor, which owns and operates most of the critical information infra- 
structure? 

The private sector has a large role in increasing our nation’s cyber security, and 
they are acting upon that responsibility. Private sector associations formed the Na- 
tional Cyber Security Partnership (NCSP) and are expanding it to include over 20 
associations. NCSD is participating in meetings of the NCSP and others to encour- 
age the articulation of a set of priority milestones for implementation of the prior- 
ities of the National Strategy that can track progress by the private sector and gov- 
ernment. 

d. What incentives will be provided, or are needed, in order to have 
government and industry adopt this cybersecurity framework? 

Much of the Strategy calls for information sharing between the private and public 
sectors. Historically, companies and other entities have had concerns about the con- 
fidentiality of information shared with the federal government, either independently 
or through a mechanism such as the ISACs. Congress enacted the Critical Infra- 
structure Information Protection Act as part of the Homeland Security Act of 2002 
to facilitate sharing of the most valuable information about capabilities, threats, 
vulnerabilities, and deterrence programs possible. The law granted an exemption for 
voluntarily submitted critical infrastructure information from the Freedom of Infor- 
mation Act (FOIA) and state sunshine laws. To implement the law, DHS has cre- 
ated and led a working group to develop regulations and procedures for receipt, dis- 
position, and use of Protected Critical Infrastructure Information (PCII). In Feb- 
ruary 2004, DHS created the PCII Program Office, which has developed rigorous 
safeguarding and handling procedures to manage the information flow and prevent 
unauthorized access to information submitted under the PCII program. 
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Separately, the market demand for cyber security presents a significant incentive 
for both government and industry to adopt the approach laid out in the Strategy. 

e. The National Institute of Standards and Technology (NIST) has been 
active in developing cybersecurity requirements for industrial control 
systems. Are these activities being included in DHS efforts to develop 
cybersecurity standards? How will DHS capitalize on these activities to 
decrease the vulnerability of privately owned critical infrastructure? 

Yes, the National Institute of Standards and Technology (NIST) efforts to develop 
cyber security requirements for industrial control systems have been included in 
DHS’ efforts to develop cyber security standards, particularly in NCSD’s effort to de- 
velop a control systems framework. 

The control systems framework will build upon the work already completed by the 
NIST-sponsored Process Control Security Requirements Forum (PCSRF) and devel- 
oped in compliance with the ISO 15408 requirements definition language (Common 
Criteria) to allow for international acceptance. 

PCSRF has already developed a system protection profile for industrial control 
systems? components that serves as an appropriate starting point for this effort. 
Work continues on the profile, and once the reference components are defined, a vul- 
nerability analysis will be conducted to enumerate the relevant operational security 
requirements for each class of component. These requirements will then be mapped 
to a set of security controls based on specific assurance levels and the criticality of 
the site in terms of impact on critical infrastructure, economic impact and/or poten- 
tial loss of life due to an environmental manifestation of a successful cyber attack 
on a control system. Once this definition is complete, specific recommendations will 
be made to implement the appropriate security controls in each environment. 

Currently there is a lack of specific guidance in the standards that are being de- 
veloped for operational control systems implementations. NCSD will continue to 
work with the standards bodies and industry to define any specific sector oper- 
ational requirements, and then to offer rigorously defined security requirements and 
specific recommendations for security and/or mitigation back to the standards bodies 
and to industry. 

In addition to the framework, DHS has invested funds to augment the existing 
testing capability of the National Supervisory Control and Data Acquisition 
(SCADA) Testbed officially launched in May 2004 and run jointly by the Idaho Na- 
tional Environmental and Engineering Laboratory (INEEL) and Sandia. The Na- 
tional SCADA Testbed is aimed at SCADA systems only and aimed strictly at devel- 
oping the capabilities to test energy sector systems. DHS’ test center operates hand- 
in-hand with the SCADA Testbed, but the DHS effort is focused on the non-energy 
sectors and is trying to work with other existing private and public testbeds as to 
leverage their efforts and avoid duplication. The DHS Control Systems Security and 
Test Center (CSSTC) and the National SCADA Testbed was officially opened in Au- 
gust 2004. 

Finally, with regard to control systems, NCSD is developing a control systems 
risk/impact decision tool that the US-CERT will be able to use for analysis and vul- 
nerability evaluation for control systems. 

4. Management 

a. How is DHS distinguishing cybersecurity roles and responsibilities 
internally, e.g., NCSD, CIO, TSA, Secret Service, NCS, and others? 

By virtue of the mandate provided in HSPD #7, NCSD has been given the man- 
date to “facilitate interactions and collaborations between and among Federal de- 
partments and agencies, State and local governments, the private sector, academia 
and international organizations.” As such, NCSD is a national focal point for the 
public and private sectors on cyber security issues and it is responsible for coordi- 
nating the implementation of the National Strategy to Secure Cyberspace. NCSD 
recognizes that each of these entities may bring unique capabilities, responsibilities 
and/or authorities to bear on cyber security issues, and as such, NCSD must act as 
a coordinating body to ensure that these entities are acting in concert. 

When dealing with the internal DHS information systems, the DHS CIO has the 
responsibility and authority to implement and assure the security of such systems. 
NCSD ensures that the office of the CIO is kept informed of the latest cyber threats 
and is provided with timely, actionable information to take steps to protect DHS 
systems from emerging malicious code occurrences. 

The National Cyber Response Coordinating Group (NCRCG; previously known as 
the Cyber Interagency Incident Management Group) will coordinate interagency 
preparedness and operations to respond to, and recover from, cyber incidents and 
attacks. The role of the NCRCG is discussed in the Cyber Annex to the National 
Response Plan. The group brings together senior officials from DHS, law enforce- 
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ment, defense, intelligence, and other government agencies that maintain significant 
cyber security capabilities. The combination of these officials/agencies provides the 
capability to analyze and coordinate a national level response to any incident that 
affects cyber assets. In addition to the ability to focus portions of their agencies? 
resources, they possess the necessary statutory authority to act. 

The National Communications System (NCS) is responsible for coordination of the 
planning for and provision of national security and emergency preparedness commu- 
nications for the Federal government under all circumstances. National security and 
emergency preparedness (NS/EP) telecommunications services are those that are 
used to maintain a state of readiness or to respond to and manage any event or 
crisis that causes or could cause injury or harm to the population, damage to or loss 
of property, or degrade or threaten the NS/EP of the United States. Both the NCS 
and NCSD report to the Assistant Secretary for Infrastructure Protection, which al- 
lows for close coordination on those cybersecurity issues that impact each organiza- 
tion. 

The draft National Response Plan (NRP) is a set of defined processes that will 
bring together several DHS functions for cyber security. The Cyber Incident Annex 
of the NRP, as developed by NCSD in coordination with the NCRCG, establishes 
procedures for a coordinated, multidisciplinary, broad-based approach to prepare for, 
respond to, and recovery from cyber Incidents of National Significance impacting 
critical national processes and the national economy. For physical incidents, Emer- 
gency Support Function 2 (ESF #2) — with NCS as coordinating agency — would co- 
ordinate Federal actions to restore backbone connectivity for the Internet and pro- 
vide priority service to NS/EP users. The draft National Response Plan includes tie- 
ins between ESF #2 and the Cyber Incident Annex to ensure these functions stay 
coordinated, which has been operationalized by cross-membership across the NCS, 
NCRCG and the Interagency Incident Management Group (IIMG). 

Various DHS components, including Immigration and Customs Enforcement (ICE) 
and the Secret Service have statutory responsibility for investigating cyber crimes. 
DHS through NCSD has assumed a supporting role in this area. Among the efforts 
that have Been undertaken are, the support and administration of the Cyber Cop 
Portal, the co-sponsorship (with the Department of Justice) of the first statistically 
valid survey of cyber crime in the US, and the initiation of a number of joint meet- 
ings to address the issue of cyber attack attribution. 

The Cyber Cop Portal is one of the oldest and most widely used mechanisms for 
sharing information in the electronic crimes community. It consists of over 5,300 
members from all 50 states and over 40 countries. Its growth and use brought it 
to the point where it could no longer be maintained as a voluntary part time project, 
and it was in danger of being shut off. NCSD has decided to sponsor and administer 
the portal. 

NCSD has agreed to provide funding and support to the DOJ Bureau of Justice 
Statistics to assist in the first ever statistically valid survey of cyber crime in the 
United States. The effort will involve questionnaires to over 36,000 US businesses 
covering all critical infrastructure sectors. The results of the survey will provide law 
enforcement and policy makers with a better understanding of the problem and how 
to allocate resources. 

One key component in the ability to effectively respond to cyber attacks is attribu- 
tion, determining the source of the attack. This is also one of the most difficult as- 
pects of cyber attack investigations. The solution to the problem is not found in any 
one community of interest, but across a broad spectrum of disciplines (Intelligence, 
Counter Intelligence, Law Enforcement, private industry, etc.). Under the auspices 
of the NCRCG, and in conjunction with DOJ, a number of attribution meetings have 
been held or are being planned. These meetings are designed to develop an overall 
picture of the state of attribution throughout the various communities, and then to 
develop a plan to improve it. The plan is due during the second quarter of FY05. 
b. What measures have been taken to elevate the importance of 
cybersecurity within the overall mission of DHS and to improve public 
awareness of cybersecurity issues? Specifically, should cybersecurity 
be a part of “READY.GOV” public web site to make Americans more 
aware of cybersecurity needs? 

Cyber security is a priority issue for DHS and the mission for NCSD. We are im- 
proving public awareness of cyber security issues through the US-CERT public 
website and the NCAS launched in January 2004 as well as through our engage- 
ment in the National Cyber Security Alliance’s Stay Safe Online campaign, our Out- 
reach and Awareness branch, and our partnership with the MS-ISAC to reach state 
and local government. The US-CERT public website provides information on cyber 
security issues, cyber activity, and cyber vulnerabilities. NCAS is our primary mech- 
anism for communicating with the public on cyber alerts, security tips, and other 
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useful notifications. We are pursuing ways to reach as many Americans as possible 
through the website, awareness campaigns, and the NCAS as well as other public 
awareness efforts. 

DHS is currently expanding the Ready campaign and is developing Ready for 
Business and Ready for Kids. Ready for Business is designed to help small to me- 
dium business owners safeguard their business operations in the event of a terrorist 
attack or other emergency. 

Preliminary messages for the campaign center around three key themes: Ensuring 
Business Continuity, Safeguarding and Preparing Your Employees, and Safe- 
guarding your Computer Systems (cyber security). The third theme will help busi- 
nesses owners understand better the need for cyber security and also how to achieve 
it. It will encompass topics such as how to prevent computer viruses, how to detect 
computer viruses, how to preserve and back-up computer data, and bow to prevent 
hacker intrusion. 

DHS is working with the Advertising Council to develop content and messages 
that will inform and motivate business owners to take action. The messages will be 
distributed through a variety of vehicles that will target business owners and opera- 
tors. 

c. Some have suggested that the NCSD should be elevated within the 
DHS organization — either as a direct report to the Secretary Ridge or 
to the Under Secretary for Information Analysis and Infrastructure 
Protection. What is the Department’s view of such a change? 

The Department is working closely with the Homeland Security Council to evalu- 
ate this and other policy and organizational options related to elevating and expand- 
ing the current role of the NCSD. 

5. Wireless Funding 

a. The National Communications System program budget for Wireless 
Priority Service is $78M. The office of the Chief Information Officer 
(CIO) includes funding for wireless activities at $100M. How are your 
office, the CIO, and Science and Technology Directorate working to- 
gether on developing these programs? 

In summary, each program has a very distinct mission employing different tech- 
nologies. DHS/IAIP recognizes the need to continually assess opportunities to insure 
integration of communications as well as efficiencies of programs. DHS has estab- 
lished forums for the review and ultimate execution of such a strategy and is coordi- 
nating all of its programs efforts. The IAIP NCS is an inter-agency body responsible 
(through E.O. 12472) to support the President in providing priority telecommuni- 
cations services across federal, state and local entities that assures the greatest op- 
portunity to communicate during all crises. The NCS Wireless Priority Service 
(WPS) program was directed by the National Security Council and subsequently au- 
thorized by the FCC. WPS is a National Security/Emergency Preparedness (NS/EP) 
priority service program utilizing based in the commercial/public cellular networks 
for designated Federal, State, Local and critical infrastructure owner leadership. 
The DHS CIO office focuses on managing the wireless assets for the department 
with a significant focus on the private Land Mobile Radio (LMR) network users of 
the federal entities transferred to DHS. They are also engaged with DOJ in 
leveraging its capabilities and development of LMR interoperable communications 
for the Federal law enforcement community. In terms of coordination, the NCS pro- 
grams, through exhibits 300, are reviewed and approved by the DHS CIO office. The 
CIO office also has established a wireless management working group which IAIP 
NCS participates in regularly to review technology issues and evolution as well as 
identify areas that will create efficiencies of all programs. A primary long term ob- 
jective, in addition to assuring interoperability of DHS assets, is to integrate WPS 
capabilities with all wireless solutions as technology enables. 

IAIP, DHS’ CIO Office and the S&T Directorate, along with other Directorates, 
also work together on common interoperability challenges through the Department’s 
new Office of Interoperability and Compatibility. This Office, housed within the S&T 
Directorate, was created to coordinate the multiple interoperability efforts and 
needs of the Department as well as look to leveraging the vast range of interoper- 
ability programs and efforts within the Federal government. Additionally, the DHS 
S&T Directorate manages the SAFECOM Project charged with partnering with 
state and local governments to improve the interoperability of federal, state and 
local LMR communications for first responders. In this area as well, iAlP support 
to DHS S&T through participation and review of Project SAFECOM activities, in- 
cludes assuring that the WPS can effectively interoperate with Project SAFECOM 
solutions as technology dependency eases to a more open environment. 
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b. Describe how First Responders will be able to benefit from the re- 
sults of these efforts. 

First Responders are increasing their dependence on wireless communications for 
command and control during emergency operations. The WPS program provides gov- 
ernment and private sector leadership, such as incident commanders, with priority 
access to the public cellular infrastructure. The WPS link improves the commander’s 
ability to receive reports from and give instructions to First Responder teams and 
other supporting organizations. Without the WPS link, command and control could 
be degraded because of cellular call-congestion in the vicinity of the incident/ emer- 
gency for all government and private sector leadership. 

Deployment of WPS across the wireless industry is essential to a full public net- 
work based emergency capability for response as well as COOP and COG needs. 
WPS is the cellular augmentation of the Government Emergency Telecommuni- 
cations Service (GETS). It is anticipated that in the future technology will enable 
the integration of these capabilities with the interoperable Land Mobile Radio 
(LMR) private systems employed by the broad based first responder community. 

Questions From Congressman Jim Turner 

1. When the National Cyber Security Division (NCSD) was created in 
June of last summer, the Department announced it would build upon the 
existing capabilities of several agencies with cyber responsibilities trans- 
ferred to DHS, including the National Communications System (NCS). The 
NCS, however, has remained separate from the NCSD. Yet, the NCS re- 
mains responsible for several cybersecurity initiatives, including the “Net- 
work Security Information Exchanges (NSIE)” and the “Cyber Warning In- 
formation Network.” The proposed budget continues to keep the NCS ac- 
tivities separate from the NCSD. Isn’t it counterproductive to have so many 
core cyber functions outside the National Cyber Security Division? Wasn’t 
the creation of the National Cyber Security Division intended to provide 
a focal point for cyber security threat and vulnerability assessment, as well 
as information sharing, within the Department? 

The June 2003 DHS announcement forming the NCSD was not intended to sug- 
gest that NCS would be fully absorbed into NCSD. The NCS is an interagency orga- 
nization formed under Executive order 12472 to support the President in the provi- 
sion of National Security/Emergency Preparedness (NS/EP) Telecommunications 
meeting the need of the federal government under all wartime and non-wartime cri- 
sis conditions. This is a critical mission that now addresses infrastructure protection 
issues in addition to its traditional COOP/COG focus. 

The NSIE referenced in the question is a government and industry effort initiated 
under the auspices of the President’s National Security Telecommunications Advi- 
sory Committee (NSTAC) and is managed through the NCS National Coordinating 
Center for Telecommunications (NCC). It addresses a very broad range of security 
issues potentially affecting the telecommunications infrastructure. Cyber security is 
only one component of these issues and the NCSD sits on the NSIE to address these 
matters. Also referenced in the question is the Cyber Warning Information Network 
(CWIN). When first envisioned, this private network was focused on the cyber 
arena, as the development of the US-CERT became firm and with further analysis, 
IP recognized that this capability had far more utility than originally intended. 
CWIN is intended to provide information and warnings across all infrastructures to 
our State, local, and industry partners. CWIN has been transferred to the IP Infra- 
structure Coordination Division (ICD) where it will support the cross-sector needs 
for all IP divisions. 

In order to facilitate coordination between these elements, Infrastructure Protec- 
tion is currently building out a watch center facility, the National Information Co- 
ordination Center (NICC) that will include NCSD, US-CERT, NCS, and ICD. Co- 
locating these groups on in a single watch center facility will facilitate the fast and 
efficient sharing of information. Initial move in to this facility is scheduled for the 
first quarter of 2005. 

2. The IAIP budget includes a $1.9 million increase for conducting cyber 
exercises such as “Live Wire,” which was a simulation of a terrorist attack 
on computer, banking, and utility systems. There are, however, existing 
cyber exercises that are up-and-running. Over two years — since before the 
Department was created — the city of San Antonio planned and conducted 
“Operation Dark Screen,” a cyber terrorism exercise that involved both the 
public and private sector and was designed to help the city defend and re- 
spond to a cyber attack. Even within the Department, the Secret Service 
is reaching out to the private sector and supporting table-top exercises to 
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address the security of private infrastructures. What is the IAIP Direc- 
torate doing to integrate and coordinate with existing cyberexercises such 
as these? How much of the requested $1.9 million will go towards these ex- 
isting exercises that have been tested and proven? In addition, what is 
DHS doing to ensure that our local communities and towns, who will pro- 
vide the cyber-first responders in the time of crisis, are prepared? Isn’t it 
true that there is no individual entity or individual within IAIP responsible 
for coordinating all of the cyberexercises being put on by the government 
and, as a result, there may be duplicative efforts? 

Whereas the first responder and emergency management communities have been 
exercising at national, regional, and local levels for many years, the cyber response 
community is quickly catching up. The U.S. Government has an active program of 
exercises to assess preparedness and processes in the event of an attack on the Na- 
tion. DHS has established a National Exercise Program Office (NEP) to coordinate 
scheduling and participation in the exercises sponsored by various agencies. The 
IAIP Directorate is coordinating its exercise planning with the NEP, which is the 
responsibility of the DHS Office of Domestic Preparedness. The IAIP Under Sec- 
retary’s Office has an Exercise Management Program (EMP) that maintains regular 
contact with members of the exercise community and coordinates with the NEP to 
facilitate the Directorate’s participation in exercises. NCSD’s coordination efforts en- 
tail scheduling cyber security exercises with NEP as well as integrating cyber sce- 
nario components into other planned exercises as appropriate. These coordination ef- 
forts with NEP assist in minimizing the duplication of exercise efforts. 

NCSD’s involvement in the NEP is guided by two principles: (1) while cyber is 
only one element of a multifaceted NEP, cyber elements must be closely coordinated 
with other elements of that program to ensure efficient use of limited resources and 
the most effective return on exercise investments; (2) cyber exercise elements must 
not be sidelined or relegated to an “afterthought” category within the NEP. 

In October 2003, numerous federal agencies participated in Livewire, the first ever 
national-level cyber exercise to baseline our capabilities for responding to national 
cyber attack. The exercise involved more than 300 participants representing more 
than 50 organizations across the federal, state, and local governments, as well as 
the private sector. Cyber attack simulation scenarios were developed to stress cyber 
interdependencies across America’s critical infrastructures and baseline government 
agencies’ abilities to collaborate across the public and private sectors. Information 
gleaned from Livewire and similar exercises aimed at ensuring security of critical 
infrastructures are being used to improve our national incident response processes. 

While Livewire brought together a number of players for a large-scale event sim- 
ulation, other exercises target specific areas or agency concerns. For example, the 
United States Secret Service’s (USSS) Electronic Crimes Task Forces (ECTFs) have 
been running smaller regional and sector-specific tabletop exercises over the past 
eighteen months. These exercises are designed to help coordinate efforts in a tar- 
geted geographic area and are tailored to a specific regional infrastructure, such as 
the energy industry in Houston, TX, the high-technology industry in San Francisco, 
CA, and the banking and finance industry in Charlotte, NC. In February 2004, the 
National Defense University ran its Dark Portal exercise and in August 2004, a 
cyber security workshop co-hosted by NCSD and the National Security Council was 
held at the National Defense University. This tabletop workshop exercise included 
members of the National Cyber Response Coordination Group (NCRCG), as well as 
multi-agency key decision makers in the U.S. Government cyber security realm. 

NCSD has sponsored several exercises that test cyber readiness in various geo- 
graphic locations and critical infrastructure sectors across the Nation. In September 
and October 2004, a series of regional exercises were held in Seattle, WA (Blue Cas- 
cades II) and New Orleans, LA (Purple Crescent II). Both exercises were successful 
in highlighting dependencies between cyber and physical infrastructures and inter- 
dependencies among critical infrastructures. These exercises also identified and test- 
ed the coordination and cooperation among federal, state, and local governments 
with the private sector in the case of attacks (both cyber and physical) on the crit- 
ical infrastructures in those regions of the U.S. In addition, each of the exercises 
illustrated the need to continue to provide outreach and cyber education to local 
emergency management and physical security professionals as well as identify and 
improve shortfalls in emergency preparedness. 

DHS EMP serves as the lead organization in the development, facilitation and 
participation of a week-long, cabinet-level national exercise (“TOPOFF3”) to be held 
in the summer of 2005. These national exercise programs occur every two years and 
involve the same basic set of participants. The exercise for TOPOFF3 represents a 
joint physical and cyber scenario, with NCSD leading the development of the cyber 
component for the exercise. It will test not only response to attacks, but also con- 
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tinuity of government and operations, emergency response at the state, regional and 
local levels, and containment and mitigation of chemical, nuclear, and other attacks, 
etc. NCSD is also working with DHS to ensure a more prominent cyber component 
in the follow-on TOPOFF series of exercises for 2007 and beyond. 

The lessons learned from these and other exercises will form the backdrop for an 
NCSD-sponsored National Cyber Exercise planned for November 2005. Planning ac- 
tivities are currently underway with initial groundwork already laid for this effort. 
In September 2004, a key stakeholder meeting was held to discuss the scope and 
objectives with critical infrastructure sector lead agencies. NCSD is in the process 
of planning the Initial Planning Conference (IPC) for the National Cyber Exercise 
that will include representatives from various government agencies and the private 
sector. The IPC will allow the opportunity for the stakeholders to establish clear and 
concise goals and objectives for the National Cyber Exercise as well as to discuss 
and develop possible scenarios. 

The objectives of the National Cyber Exercise are to: 

1. Sensitize a diverse constituency of private and public-sector decision-makers 
to a variety of potential cyber threats including strategic attack; 

2. Familiarize this constituency with DHS’ concept of a national cyber response 
system and the importance of their role in it; and 

3. Practice effective collaborative response to a variety of cyber attack scenarios, 
including crisis decision-making. 

4. Provide an environment for evaluation of interagency and cross-sector busi- 
ness processes reliant on information infrastructure. 

5. Measure the progress of ongoing U.S. efforts to defend against an attack. 

6. Foster improved information sharing among government agencies and be- 
tween government and industry. 

7. Identify new technologies that could provide earlier warning of attacks. 

8. Define the roles and responsibilities of government agencies and industry. 

Questions for Chief Officer Steven Cooper, From Congressman Mac 
Thornberry and Congresswoman Zoe Lofgren 

1. Cybersecurity Standards 

Question: a. How are technical cybersecurity standards being established 
and enforced across the Department for information technology purchases, 
processes, and practices? 

Technical Cybersecurity Standards are promulgated through the Technical Ref- 
erence Model portion of the Department’s Enterprise Architecture Program. There 
are also mature standards established through the Federal Information Processing 
Standards. The Information System Security Managers at the organizational ele- 
ments are responsible for ensuring compliance with standards. In addition, regular 
Program and Acquisition reviews check for compliance with published standards. 

The Department’s long-term strategic approach for the enforcement of information 
technology security standards is to verify policy and standards compliance during 
the Security Test and Evaluation phase of the system Certification and Accredita- 
tion (C&A) process. DHS is currently in the process of establishing an enterprise 
C&A application that will maintain an online repository of all C&A documentation 
and enforce the use of Department mandated C&A methodologies. This application 
will generate comprehensive system test procedures and processes to fully map sys- 
tem compliance with DHS policy and standards. The current status of implementing 
this C&A tool is that DHS has completed the Requirements Definition phase and 
product evaluation phase, and have an operational pilot system which has given 
phenomenal results. We expect to have a Department implementation in the near 
future. 

The Department also verifies proper implementation of policy and standards by 

conducting NIST 800-26 reviews of security controls in accordance with Office of 
Management and Budget Memorandum M-03-19. These reviews are ongoing. 

Question: b. Who sets cybersecurity requirements for the Department 
and how are they communicated to the technology developer or purveyor? 

DHS follows cybersecurity standards requirements established by the Committee 
for National Security Systems for its classified systems, and the Office of Manage- 
ment and Budget, and National Institute of Standards and Technology guidance for 
it unclassified systems. Additionally, mission specific requirements are promulgated 
through the internal Management Directives, as well as through the Technical Ref- 
erence Model of the Department’s Enterprise Architecture. These have been pro- 
vided to industry in general, and are also specifically called out when appropriate 
in contracting vehicles. 
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Question: c. How are cybersecurity standards requirements being incor- 
porated in calls for proposals, grants or other contracting mechanisms? 

The DHS Science and Technology (S&T) Directorate is in the process of estab- 
lishing a DHS-internal Cyber Security Standards Working Group. Within the S&T 
Directorate, the working group will include representatives from the Standards and 
Cyber Security R&D portfolios, as well as representatives from S&T’s Chief Infor- 
mation Officer (CIO) group. Outside of S&T, invitations to serve on the working 
group have been extended to the DHS Office of the CIO, the National Cyber Secu- 
rity Division and the National Communications System in the Information Analysis 
and Infrastructure Protection Directorate, and the United States Secret Service. 
This group will collectively identify what cyber security standards requirements 
should be incorporated into S&T’s R&D portfolio investment plans. 

Question: d. In what areas of cybersecurity do you see a need for new or 
better standards, benchmarks, and other elements of a cybersecurity 
framework, and what can DHS do to help implement such a framework? 

With new areas of technology emerging every day as well as new applications of 
existing technology, there is always a need to refine existing standards and promote 
new ones. The emergence of MPLS has opened many new questions and the means 
to securely implement reliable, secure wireless networks continues to be a challenge, 
as does the management of geospatial data and Law Enforcement Information. DHS 
works closely with the Federal cooperative process through bodies such as the Na- 
tional Institute of Standards and Technology and the Committee for National Secu- 
rity Systems to ensure the success of these efforts. 

Question: e. Does the office of the Chief Information Officer (CIO) use 
any cybersecurity standards and processes recommended by the National 
Cybersecurity Division (NCSD), National Institute of Standards and Tech- 
nology (NIST), and National Security Agency (NSA) to secure the DHS en- 
terprise architecture? 

To the best of our ability, all relevant standards from national bodies such as 
NIST, NSA and NCSD are applied throughout DHS. This includes relevant FIPS 
and similar standards for procurement and internal processes such as self assess- 
ments and Certification and Accreditation are explicitly standards based. 

Question: f. How does NCSD provide actionable cybersecurity informa- 
tion to the CIO to consider in its enterprise architecture implementation? 

DHS participates in the interagency US CERT process. As a member of USCIRC, 
DHS like all participating agencies, gets alerts, warning and mitigation tools in a 
timely manner. In addition, there is a constant and constructive exchange of infor- 
mation between the National Cyber Security Division and the Office of the CIO for 
timely notifications of relevant issues. Actionable items — such as those that may sig- 
nificantly compromise confidentiality or availability are given the highest priority 
for incorporation into the Department’s security architecture which is integral to the 
Department’s Enterprise Architecture. 

2. Purchasing Power 

Question: a. What specific actions has DHS taken to improve its FISMA 
report card in order to become government model for secure information 
systems? 

DHS has implemented a COTS enterprise product to provide automated support 
for 800-26 assessments, manage FISMA metric reporting, as well as Department- 
wide Plans of Actions and Milestones (POA&M). This product is being used to gen- 
erate a Digital Dashboard showing Organization Element performance metrics and 
overall DHS performance metrics, and access to this system has been made avail- 
able to the OIG to ensure veracity of FISMA data reported by Organizational Ele- 
ments. Access to the Digital Dashboard will be made available to senior manage- 
ment in the near future to ensure that senior managers are directly involved with 
the Department’s Information Security Program. In the past few moths we have im- 
plemented several enhancements made to FISMA reporting product for improving 
reporting of 800-26 and C&A metrics. This enhancements include a) 800-26 integ- 
rity checking; 2) computed metrics for 800-26 assessments and C&A; capability to 
upload assessment and C&A artifacts; 4) better tracking of C&A deliverables. We 
have purchased an Enterprise license for a C&A tool (Securelnfo RMS). This tool 
has been installed on an Enterprise server and all OEs are currently using the tools 
with DHS ramping up to full mandatory use. The DHS baseline policy has been 
mapped to this tool and use of the tool will ensure that the C&A SRTM is mapped 
to DHS policy. We have prepared and submitted a POA&M to OMB to achieve full 
ATO on all currently reported systems by the end of July, 2005. To ensure contin- 
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ued progress we have formed a DHS security working group to focus on FISMA re- 
porting and FISMA issues. 

Question: b. Many witnesses before the Subcommittee have suggested 
that a powerful tool the federal government possesses in cybersecurity is 
its buying power. Has DHS used this power to induce hardware or software 
manufacturers to provide more secure systems? 

Every new information technology contracting vehicle put into place by the De- 
partment includes robust security standards. Additionally, the Department regu- 
larly engages information technology vendors to ensure that strong security is inte- 
gral to product development and implementation. 

3. Wireless Funding 

Question: a. The office of the CIO includes funding for wireless activities 
at $100M. The National Communications System (NCS) program budget for 
Wireless Priority Service is $78M. How are your office, the NCS, and the 
Science and Technology Directorate working together on developing these 
programs? 

The Wireless Management Office (WMO), within the DHS Office of the Chief In- 
formation Officer, is mandated to lead and coordinate the Department’s programs, 
projects, and initiatives that involve the wireless transport of information, including 
voice, data, and multimedia. The WMO’s mission, “To be the model program office, 
providing state-of-the art wireless capabilities to preserve our freedoms and protect 
America,” serves to focus and provide direction for the program’s activities and serv- 
ices to ensure the effective use of wireless technologies across the Department’s or- 
ganizational elements. As part of its mission, the WMO integrates its activities with 
the National Communications System (NCS) and the wireless initiatives of S&T to 
meet evolving homeland security requirements. The WMO is primarily focused on 
wireless communications to support internal DHS missions. The NCS is responsible 
for directing the Wireless Priority Service program which supports commercial, pri- 
vate sector wireless capabilities. 

The WMO is working with NCS and the DHS S&T Directorate in implementing 
program activities through groups such as the Wireless Working Group (WWG). The 
WWG is a coordination body established to ensure DHS-wide approaches to wireless 
communications are developed and implemented in an integrated manner. The 
WMO chairs the WWG, which is composed of 80 representatives from all of the DHS 
organizational elements with wireless communications as part of their mission. The 
majority of the WMO’s coordination with the NCS and DHS S&T occurs through 
its participation on the WWG to collect DHS organizational elements wireless re- 
quirements, coordinate resource utilization, and ensure organizational elements play 
an integrated roll in centralized DHS wireless concepts (e.g., system designs, user 
requirements, operational concepts, procurement contracts). This collaborative ap- 
proach is consistent with the Department’s customer service strategy and allows for 
on-going feedback and confirmation that the WMO is adequately addressing the 
needs of its customers and stakeholders. 

Question: b. Describe how First Responders will be able to benefit from 
the results of these efforts. 

The activities of the WMO, in partnership with DHS S&T and the NCS, directly 
benefits first responders at all levels of the government by equipping them with the 
wireless capabilities to fulfill their missions of protecting the homeland. By building 
strong relationships that foster increased coordination among first responders, ena- 
bling and enhancing their wireless capabilities, the DHS WMO — in coordination 
with DHS S&T and NCS — are achieving several objectives to the benefit of first re- 
sponders, including — 

- Implementing integrated, nationwide tactical communications capabilities for 

DHS organizational elements and other public safety first responders 

- Providing technical assistance and implementation of wireless enhancements 

- Advancing the use of emerging wireless technologies among first responders 

These objectives are being met through several major initiatives supported by the 

WMO and coordinated with DHS S&T and the NCS. 

Integrated Wireless Network (IWN): The mission of the Integrated Wireless 
Network (IWN) project is to provide a consolidated, nationwide approach to reliable, 
seamless, interoperable wireless communications to support federal agencies and of- 
ficers engaged in the conduct of law enforcement, protective services, homeland de- 
fense, and disaster response within the Departments of Homeland Security, Justice, 
and Treasury. The IWN will serve as the day-to-day tactical communications net- 
work for the DHS, Justice, and Treasury user community, as well as for those with- 
in DHS and Treasury, replacing outdated and antiquated legacy communications 



59 


systems. As a result, the IWN, in every sense, will serve as the lifeline that directly 
supports the wireless communications capabilities of first responders. 

The IWN represents an investment in voice and data communications tech- 
nologies, the completed system will establish a 24 x 7 communications network, 
complete with support services that will include major disaster recovery and contin- 
gency capabilities (e.g. system back-up). A centrally managed and coordinated ap- 
proach to this initiative ensures that common, standards-compliant technologies are 
procured, thereby fostering interoperability between and among federal agencies for 
more effective and efficient enforcement activities, as well as provisioning commu- 
nications interoperability with our state and local partners for event management 
and crisis response. 

G4 High Risk Metropolitan Areas Interoperability Project: With the demand for im- 
proved intergovernmental communications necessitated by homeland security con- 
cerns, federal agents must increasingly interoperate with other federal, state, and 
local public safety entities. The project was initiated to improve federal interoper- 
ability with local first responders in the highest threat areas across the country. The 
project is being implemented in coordination with the interoperability efforts of the 
WMO, SAFECOM, and the Office of Domestic Preparedness (ODP). 

WMO Sponsored Projects: The WMO is supporting several projects that are im- 
proving the wireless communications capabilities of agencies at all levels of the gov- 
ernment. 

DC Broadband Project: The District of Columbia is currently implementing a 
cost-effective, high-speed, wide area, wireless data network that will permit the use 
of interoperable, broadband, wireless data applications for public safety communica- 
tions. This network will allow first responders in the NCS to use full-motion, high- 
resolution video monitoring and other bandwidth-intensive monitoring tools to im- 
mediately share time-critical incident and emergency event information. 

This will enhance regional and federal first responder capabilities. It will also pro- 
vide accurate interoperability usage profiles and results, collect data on network 
performance (data throughput, coverage, latency, and effective of spread spectrum 
technologies), and implement public safety application requirements and operations 
improvements. 

Phoenix Mesa Interoperability Project: This project provides an opportunity 
for the WMO to partner with state and local agencies and build upon existing com- 
munications system infrastructure. The WMO plans to leverage this existing system 
by installing federal very high frequency (VHF) trunked repeaters at select locally- 
owned radio frequency (RF) sites. The project should result in several key benefits, 
including the demonstration of an innovative application that can be replicated 
across the country, providing potential long-term cost savings for IWN implementa- 
tion, and serving as a model for coordination and partnerships among federal, state, 
and local agencies and first responders. 

The primary goal of the project is to demonstrate the feasibility of local and fed- 
eral agencies utilizing common infrastructure while operating within different fre- 
quency bands. To accomplish this goal, the WMO partnered with the cities of Phoe- 
nix and Mesa, Arizona, who were two of the first cities in the country to implement 
a regional TIA/EIA-102 Project 25 800-megahertz trunked system. The installation 
of these repeaters will enable the WMO to use existing system assets such as shel- 
ters, towers, connectivity, and network management infrastructure. 

SAFECOM: Linking federal tactical communications to local, state, and tribal 
public safety first responders is critical to ensuring seamless, wireless communica- 
tions at the scene of the incident and improving officer safety. In 2002, as part of 
the President’s Management Agenda, the White House established SAFECOM as 
the umbrella program within the Federal Government to oversee all communication 
interoperability initiatives and projects. Through SAFECOM, the Federal Govern- 
ment is addressing public safety communications issues in a more coordinated, com- 
prehensive, and effective way. 

The WMO is working with SAFECOM to improve wireless communications inter- 
operability among federal, state, and local public safety first responders. The WMO 
does so by recognizing and supporting the crucial role of SAFECOM to the benefit 
of first responders to include — 

• Creating and adopting standards 

• Recognizing interoperability and communications issues 

• Identifying current initiatives that address interoperable communications 
issues, and 

• Developing coordinated strategies to leverage work, while decreasing the un- 
necessary duplication of efforts. 
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Collectively, the programs are providing the vital link to improve vertical inter- 
operability among over 100 federal agencies with public safety response to over 
44,000 local and state first responders. 

Federal Partnership for Interoperable Communications (FPIC): The FPIC 

works to advance federal wireless communications interoperability across federal 
first responders by fostering intergovernmental cooperation. The FPIC pursues this 
mission by advancing the following goals to the benefit of the federal wireless com- 
munity: providing technical and operational advice to SAFECOM and federal de- 
partments and agencies; educating federal users about wireless communications 
equipment, security, and operations standards and best practices; and coordinating 
wireless communications interoperability efforts within the Federal Government. 

As members of FPIC, the WMO and SAFECOM work to improve federal wireless 
communications first responders through standing committees and working groups. 
Standing committees — such as the Standards, Security, and Spectrum Standing 
Committees — coordinate ongoing FPIC activities. Working groups are established to 
consider, investigate, and/or act on a specific activity or subject area of interest to 
members. The FPIC may establish partnerships with state/local organizations, asso- 
ciations, departments, bureaus, agencies, or individuals as appropriate. In this way, 
projects of mutual concern to all of the wireless public safety community can be ad- 
dressed in a cooperative manner. 

Question: 4. To what degree do the DHS enterprise architecture plans in- 
tegrate with the federal enterprise architecture effort? How is DHS work- 
ing with other departments to establish cybersecurity standards? 

Support for Federal Initiatives 

EA is one of the means by which visibility into IT assets can enable the federal 
government to find business and financial efficiencies. Our alignment to the Office 
of Management and Budget (OMB) Federal Enterprise Architecture (FEA) continues 
throughout all of our Enterprise Architecture (EA) efforts. Our FEA and e-govern- 
ment initiatives are discussed below. 

Support for the Federal Enterprise Architecture 

Our EA planning project was driven by the concepts and products of the OMB 
FEA Reference Models. We have aligned the various EA artifacts with the five FEA 
Reference Models: the Business Reference Model, the Data and Information Ref- 
erence Model, the Service/Component Reference Model, the Technical Reference 
Model, and the Performance Reference Model. And, more importantly, we have em- 
braced the two FEA foundation concepts: Line of Sight for program effectiveness 
and Component and Service Based Architectures for effective reuse and repeat- 
ability. 

Business Reference Model. The FEA Business Reference Model drove the develop- 
ment of our business model. Several of the Business Reference Model Lines of Busi- 
ness are directly applicable to DHS (in particular, Homeland Security and Disaster 
Management). For all other business activities within the DHS business value chain 
level, there is a one-to-one link to the Business Reference Model Lines of Business. 
The EA Business Model includes a matrix that shows the relationship between our 
business activities and the Business Reference Model Subfunctions. It is important 
to note that every business activity in the EA Business Model is mapped to a Busi- 
ness Reference Model Sub-function. As a result of this alignment, OMB should be 
able to readily identify functional commonality of DHS with other federal agencies. 

Data and Information Reference Model. The Data Reference Model consists of a 
layered model for decomposing collections of information, from Subject Areas down 
to Data Objects and their properties. We adopted this approach and classified the 
information required to support the homeland security business activities at the 
Subject Area and Data Object levels. Further decomposition and description of the 
data objects will be performed in the next phase of the EA process. Our Data Archi- 
tecture aligns with the Data Reference Model concepts by providing a common, con- 
sistent way of categorizing and describing data to facilitate data sharing and inte- 
gration. 

Service Component Reference Model. The DHS EA project has fully embraced the 
FEA Service/Component Reference Model’s component-based approach to the reuse 
of applications, application capabilities, components, and business services across 
the federal government. OMB created the Service/Component Reference Model spe- 
cifically to identify service components and their relationship to the technology ar- 
chitectures of federal agencies. We leveraged the Service/Component Reference 
Model in two important manners: (1) the structure of our Application Architecture 
is a set of interworking components that has direct ties to the Service/Component 
Reference Model, and (2) our Technology Architecture applies a set of technology 
patterns that is derived directly from the technology aspects of the reference model. 
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The Application Architecture has been constructed to leverage reusable compo- 
nents that can be acquired once and used to provide services to many applications. 
It shows the structure of this component reuse. From the set of component architec- 
ture diagrams, it can be seen that there is a significant opportunity to apply this 
reuse concept throughout DHS (and across other government agencies). The result 
should be considerable cost savings, as well as greatly improved interoperability and 
flexibility of applications. 

The Technology Patterns of our EA are repeatable solutions to recurring technical 
challenges. These patterns employ technologies described in the DHS Technical Ref- 
erence Model (discussed below) and provide capabilities as described in the FEA 
Service/Component Reference Model. For example, the Business Intelligence/Data 
Warehouse technology pattern of our EA aligns with the Business Intelligence Serv- 
ice Type of the FEA reference model. 

Technical Reference Model. The initial formulation of the DHS Technical Ref- 
erence Model began with the taxonomy as well as the technical services, protocols, 
and interfaces specified in the FEA Technical Reference Model. The DHS model ex- 
tends and refines the FEA model where necessary to reflect the additional func- 
tional and technology requirements of DHS. In deriving the DHS model from the 
FEA model, we have also made adjustments to better align the technology cat- 
egories witb the physical layering of services that exist in vendor and open source 
products. The Domain level (Tier 3) categories of the DHS model have all been 
mapped to the FEA model, so that comparisons can be directly made with the tech- 
nical reference models from other agencies. 

Performance Reference Model. Although this FEA reference model was still under 
development during our EA planning project, an initial attempt was made to align 
our Business Model with the intent of the Performance Reference Model, based on 
draft materials provided by OMB. Specifically, the Business Model includes a table 
that defines the outcomes or measurement categories and corresponding indicators 
(metrics) for each cross-cutting, corporate activity defined in the Homeland Security 
Value Chain. Measurement categories are defined for each activity in six areas: Mis- 
sion and Business Results, Customer Results, and Process and Activities, People, 
Technology, and Other Fixed Assets. This guidance within the DHS EA will provide 
specific DHS IT programs with a starting point for applying the Performance Ref- 
erence Model within their Exhibit 300 submissions to OMB. 

Support of E-Government Initiatives 

The Target EA and Transition Strategy identified several opportunities to lever- 
age on-going e-Government initiatives. As you may be aware, the Department is 
currently the managing partner for the Disaster Management and Safecom e-Gov 
initiatives. The Department is also actively participating in six additional e-gov ini- 
tiatives. For example, there are three major organizations within the department 
that provide grants to state, local, private industry, academia, and individuals for 
a variety of reasons that participate in the e-Grants effort. We will be looking more 
closely at this mode of delivery and how it may leveraged into the EA program. 

Finally, the target EA identifies a concept for homeland security information shar- 
ing and knowledge flow — the Homeland Security Information Sharing Architec- 
ture — based on a concept of Communities of Interest adopted from the intelligence 
community. Information sharing with state, local, tribal, and other federal govern- 
ment entities is a critical function of DHS, both as a source of information and as 
the “first responders” to an incident. Implementation of this information sharing ar- 
chitecture will provide value to homeland security community by driving results and 
productivity through effective information sharing. 

In addition to the initiatives for which DHS has the lead responsibility, we expect 
to be a major contributing player or user of several others. We are committed to 
transitioning to projects such as e-Authentication, e-Clearance, e-Payroll, e-Travel, 
and HR Integration. We are actively gaining more knowledge about these initiatives 
so that our role in supporting them and their particular timelines and capabilities 
can be integrated seamlessly into our target and transition strategy. 
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